SSL input settingsedit
You can specify the following options in the apm-server.ssl
section of the apm-server.yml
config file.
They apply to SSL/TLS communication between the APM Server and APM Agents.
enabled
edit
The enabled
setting can be used to enable the ssl configuration by setting
it to true
. The default value is false
.
certificate
edit
The path to the file containing the certificate for Server authentication.
Required if apm-server.ssl.enabled
is true
.
key
edit
The path to the file containing the Server certificate key.
Required if apm-server.ssl.enabled
is true
.
certificate_authorities
edit
The list of root certificates for verifying client certificates.
If certificate_authorities
is empty or not set, the trusted certificate authorities of the host system are used.
key_passphrase
edit
The passphrase used to decrypt an encrypted key stored in the configured key
file.
We recommend saving the key_passphrase
in the APM Server Secrets keystore.
supported_protocols
edit
This setting is a list of allowed protocol versions:
SSLv3
, TLSv1.0
, TLSv1.1
, TLSv1.2
and TLSv1.3
. We do not recommend using SSLv3
or TLSv1.0
.
The default value is [TLSv1.1, TLSv1.2, TLSv1.3]
.
cipher_suites
edit
The list of cipher suites to use. The first entry has the highest priority. If this option is omitted, the Go crypto library’s default suites are used (recommended).
curve_types
edit
The list of curve types for ECDHE (Elliptic Curve Diffie-Hellman ephemeral key exchange).
client_authentication
edit
This configures what types of client authentication are supported. The valid options
are none
, optional
, and required
. The default is optional
.
If certificate_authorities
has been specified, this setting will automatically change to required
.
-
none
- Disables client authentication. -
optional
- When a client certificate is given, the server will verify it. -
required
- Requires clients to provide a valid certificate.
verification_mode
edit
This option controls whether the client verifies server certificates and host
names. Valid values are none
and full
. If none
is used,
SSL-based connections are susceptible to man-in-the-middle attacks. Use this
option for testing only.
The default is full
.
See Securing APM Server for more information.