Securing Elastic AMP server, client_authentication and RUM

Hello all,

I am trying to secure the Elastic APM server I use for Real User Monitoring.

Some snippets from different documentation

Elastic APM Server - SSL config - client_authentication

This option only needs to be configured when the agent is expected to provide a client certificate. Sending client certificates is currently only supported by the RUM agent through the browser and by the Jaeger agent.

Which suggests to me that this should be configurable in the RUM agent..? I can't find any mention of that in the RUM agent documentation.

Am I making wrong assumptions or looking in the wrong place in the docs?

There is also not anything resembling server_name or anything like that which I'm used to configure for web servers when setting the domain name of the service and which is checked against the available certificate. Is the server_name just taken from the POST request then? Looks like it from my initial tests...

All suggestions and tips are welcome :slight_smile:

Hi @A_B,

Thanks for reaching out.

As is mentioned in the docs the certificate has to be provided by the browser. In other words the certificate needs to be installed on users' machines before hand. This is only provided for scenarios in which you have access to end-users' machines (e.g. an internal network or similar). The certificate can not be configure from the agent since it doesn't (and shouldn't) have access to setting the certificate (the browser handles all that).

Hope this helps.


Hello @Hamidreza,

thank you very much for your reply :slight_smile:

So, if you do not control the end-user machines, I should set this?

client_authentication: none 

I have it as optional at the moment and at least Chrome displays a dialogue where I can choose which cert to use.

I have configured SSL/TLS with certs that are trusted CA signed.

That is correct, you should set client_authentication: none.
From our 7.7 stack release we also have changed the default value for that config option to none.

This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.