- Legacy APM Server Reference:
- Overview
- Get started
- Set up
- How-to guides
- Configure
- Secure
- Monitor
- API
- Explore data in Elasticsearch
- Exported fields
- APM Application Metrics fields
- APM Error fields
- APM Profile fields
- APM Sourcemap fields
- APM Span fields
- APM Span Metrics fields
- APM Transaction fields
- APM Transaction Metrics fields
- APM Transaction Metrics fields
- Beat fields
- Cloud provider metadata fields
- Docker fields
- ECS fields
- Host fields
- Kubernetes fields
- Process fields
- System Metrics fields
- Troubleshoot
- Upgrade
- Release notes
- APM Server version 7.15
- APM Server version 7.14
- APM Server version 7.13
- APM Server version 7.12
- APM Server version 7.11
- APM Server version 7.10
- APM Server version 7.9
- APM Server version 7.8
- APM Server version 7.7
- APM Server version 7.6
- APM Server version 7.5
- APM Server version 7.4
- APM Server version 7.3
- APM Server version 7.2
- APM Server version 7.1
- APM Server version 7.0
- APM Server version 6.8
- APM Server version 6.7
- APM Server version 6.6
- APM Server version 6.5
- APM Server version 6.4
- APM Server version 6.3
- APM Server version 6.2
- APM Server version 6.1
- APM integration (Elastic Agent)
Secure communication with APM agents
editSecure communication with APM agents
editCommunication between APM agents and APM Server can be both encrypted and authenticated. Encryption is achievable through SSL/TLS communication.
Authentication can be achieved in two main ways:
Both options can be enabled at the same time, allowing Elastic APM agents to chose whichever mechanism they support. In addition, since both mechanisms involve sending a secret as plain text, they should be used in combination with SSL/TLS encryption.
As soon as an authenticated communication is enabled, requests without a valid token or API key will be denied by APM Server. An exception to this rule can be configured with anonymous authentication, which is useful for APM agents running on the client side, like the Real User Monitoring (RUM) agent.
There is a less straightforward and more restrictive way to authenticate clients through SSL/TLS client authentication, which is currently a mainstream option only for the RUM agent (through the browser) and the Jaeger agent.