Securing APM agent comms

**Kibana version 7.4

**Elasticsearch version 7.4:

**APM Server version 7.4:

APM Agent language and version:

**Original install method (e.g. download page, yum, deb, from source, etc.) and version APT:

**Fresh install or upgraded from other version? Fresh

I have set up APM agent on a Tomcat server. Downloaded latest version of the agent, updated the server startup paramters in wrapper.conf and it works. Now I need to secure the Agent to APM-Server comms. I have created a cert for the server (using our MS CA Server), and downloaded the sert, the key and the CA cert. Converted the CA cert to a .PEM . Copied all three across to the apm-server and updated the apm-server.yml file. Also confirmed that the user apm-server is owner of all cert files.

$
ssl:
enabled: true
certificate_authorities: ["/usr/share/apm-server/cert/CA.pem"]
certificate: /usr/share/apm-server/cert/xxxxxxxx*.cer
key: /usr/share/apm-server/cert/server.key

On the agent, changed the wrapper.conf to point it to the APM server on https instead of http.

Started the apm server with debug to console (apm-server -e -d "*") nothing coming through - before changing to SSL could see transactions coming through.

Any suggestions

Since you're using your own certificate authority, I'm guessing that the agent is not aware of it and so certificate verification will fail. You can confirm this by passing -Delastic.apm.verify_server_cert=false to the agent: https://www.elastic.co/guide/en/apm/agent/java/current/config-reporter.html#config-verify-server-cert

Note that disabling certificate verification isn't recommended in production, as it means MITM attacks will be possible. You should instead create and use a truststore, using Java Keytool.

Hi @RichardH,
please note that the config option ssl.certificate_authorities in the apm-server.yml should be used to define CAs for verifying client certificates. By default the server does not require client authentication, but as soon as certificate_authorities are configured, it does require the client to provide a valid certificate. Find more details about configuring SSL input settings for the APM Server.

Thanks. I have tried adding the Issuer CA and a combined CA (combining the issuer an CA from our cert server). I have also tried installing both the rootCA and intermediate CA in Ubuntu (https://superuser.com/questions/437330/how-do-you-add-a-certificate-authority-ca-to-ubuntu) and then taking out the ssl.certificate.authorites line in my YML file. Still no luck.

It looks like I need to specify the root ca and intermediate ca seperately under 'certiciate_authorities'in my apm-server.yml file. What is the corrext syntax for specifying multiple certificates ?

Sorry for not being more clear in my previous response. The java agent does not support sending a client certificate. Therefore you need to ensure that the server does not require and try to verify such a client certificate. When using default options for apm-server.ssl.certificate_authorities and apm-server.ssl.client_authentication the server does not require it.

If the communication still doesn't work, can you please check the logs for the agent and the server.

Thanks All.