A newer version is available. For the latest information, see the current release documentation.
Elastic Docs Configure APM Server SSL/TLS settings
« SSL output settings Configure Elasticsearch index template loading »

SSL input settingsedit

You can specify the following options in the apm-server.ssl section of the apm-server.yml config file. They apply to SSL/TLS communication between the APM Server and APM Agents.

enablededit

The enabled setting can be used to enable the ssl configuration by setting it to true. The default value is false.

certificateedit

The path to the file containing the certificate for Server authentication. Required if apm-server.ssl.enabled is true.

keyedit

The path to the file containing the Server certificate key. Required if apm-server.ssl.enabled is true.

key_passphraseedit

The passphrase used to decrypt an encrypted key stored in the configured key file. We recommend saving the key_passphrase in the APM Server Secrets keystore.

supported_protocolsedit

This setting is a list of allowed protocol versions: SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 and TLSv1.3. We do not recommend using SSLv3 or TLSv1.0. The default value is [TLSv1.1, TLSv1.2, TLSv1.3].

cipher_suitesedit

The list of cipher suites to use. The first entry has the highest priority. If this option is omitted, the Go crypto library’s default suites are used (recommended).

curve_typesedit

The list of curve types for ECDHE (Elliptic Curve Diffie-Hellman ephemeral key exchange).

certificate_authoritiesedit

The list of root certificates for verifying client certificates. If certificate_authorities is empty or not set, the trusted certificate authorities of the host system are used. Sending client certificates is currently only supported by the RUM agent through the browser and by the Jaeger agent.

client_authenticationedit

This configures what types of client authentication are supported. The valid options are none, optional, and required. The default is none. If certificate_authorities has been specified, this setting will automatically change to required. This option only needs to be configured when the agent is expected to provide a client certificate. Sending client certificates is currently only supported by the RUM agent through the browser and by the Jaeger agent.

  • none - Disables client authentication.
  • optional - When a client certificate is given, the server will verify it.
  • required - Requires clients to provide a valid certificate.

See Securing APM Server for more information.

« SSL output settings Configure Elasticsearch index template loading »