Secure communication with APM Agents
editSecure communication with APM Agents
editTo secure the communication between APM Agents and the APM Server:
Secret token
editYou can configure a secret token to authorize requests to the APM Server. This ensures that only your agents are able to send data to your APM servers. Both the agents and the APM servers have to be configured with the same secret token, and secret tokens only provide security when used in combination with SSL/TLS.
APM Server configuration
Here’s how you set the secret token in APM Server:
apm-server.secret_token: <secret-token>
We recommend saving the token in the APM Server Secrets keystore.
Secret tokens are not applicable for the RUM Agent, as there is no way to prevent them from being publicly exposed.
Agent specific configuration
Each Agent has a configuration for setting the value of the secret token:
-
Go Agent:
ELASTIC_APM_SECRET_TOKEN
-
Java Agent:
secret_token
-
.NET Agent:
ELASTIC_APM_SECRET_TOKEN
-
Node.js Agent:
Secret Token
-
Python Agent:
secret_token
-
Ruby Agent:
secret_token
SSL/TLS communication in APM Server
editTo enable SSL/TLS, you need to enable SSL and provide both a private key and a certificate issued by a certificate authority (CA). You can then specify the path to those files in your configuration properties. This will make APM Server serve HTTPS requests instead of HTTP.
Here’s a basic APM Server SSL config with secure communication enabled:
apm-server.ssl.enabled: true apm-server.ssl.key: "/etc/pki/key.pem" apm-server.ssl.certificate: "/etc/pki/apm-server.pem"
A full list of configuration options is available in SSL input settings.
HTTPS communication in APM Agents
editTo enable secure communication in your Agents, you need to update the configured server URL to use HTTPS
instead of HTTP
.
-
Go Agent:
ELASTIC_APM_SERVER_URL
-
Java Agent:
server_urls
-
.NET Agent:
ServerUrl
-
Node.js Agent:
serverUrl
-
Python Agent:
server_url
-
Ruby Agent:
server_url
Some Agents also allow you to specify a custom certificate authority for connecting to APM Server.
-
Go Agent:
ELASTIC_APM_SERVER_CERT
-
Python Agent:
ELASTIC_APM_SERVER_CERT
-
Ruby Agent:
server_ca_certedit
Most Agents that don’t allow you specify a custom certificate will allow you to disable verification of the SSL certificate. This ensures encryption, but does not verify that you are sending data to the correct APM Server.
-
Java Agent:
verify_server_cert
-
Node.js Agent:
verifyServerCert