Securing APM Server

edit

The following topics provide information about securing the APM Server process and securing communication between APM Server and other products in the Elastic stack:

Security Overview

edit

APM Server exposes an HTTP endpoint and as with anything that opens ports on your servers, you should be careful about who can connect to it. Firewall rules are recommended to ensure only authorized systems can connect.

Secret token

edit

You can configure a secret token to authorize requests to the APM Server, and ensure that only your agents can send data to your APM servers. Both the agents and the APM servers have to be configured with the same secret token.

Secret tokens provide security only when used in combination with SSL/TLS. Secret tokens are not applicable for RUM, as they would be publicly exposed.

SSL/TLS setup

edit

To enable SSL/TLS you need a private key and a certificate issued by a certification authority (CA). You can then specify the path to those files in your configuration properties: apm-server.ssl.key and apm-server.ssl.certificate respectively. This will make the APM Server serve HTTPS requests instead of HTTP. Don’t forget, you also need to enable SSL in the agent. For agent specific details on enabling SSL/TLS, please see the agent documentation.