IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Secure communication with APM agents API keys »

›

APM agent TLS communication

edit

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

APM agent TLS communication

edit

TLS is disabled by default. When TLS is enabled for APM Server inbound communication, agents will verify the identity of the APM Server by authenticating its certificate.

Enable TLS in the APM integration configuration panel; a certificate and corresponding private key are required. The certificate and private key can either be issued by a trusted certificate authority (CA) or be self-signed.

Use a self-signed certificate

edit

Step 1: Create a self-signed certificate

edit

The Elasticsearch distribution offers the certutil tool for the creation of self-signed certificates:

Create a CA: ./bin/elasticsearch-certutil ca --pem. You’ll be prompted to enter the desired location of the output zip archive containing the certificate and the private key.
Extract the contents of the CA archive.
Create the self-signed certificate: ./bin/elasticsearch-certutil cert --ca-cert <path-to-ca-crt>/ca.crt --ca-key <path-to-ca-key>/ca.key --pem --name localhost
Extract the certificate and key from the resulted zip archive.

Step 2: Configure the APM integration

edit

Configure the APM integration to point to the extracted certificate and key.

Step 3: Configure APM agents

edit

When the APM server uses a certificate that is not chained to a publicly-trusted certificate (e.g. self-signed), additional configuration is required in the APM agent:

Go agent: certificate pinning through ELASTIC_APM_SERVER_CERT
Python agent: certificate pinning through server_cert
Ruby agent: certificate pinning through server_ca_cert
.NET agent: ServerCert
NodeJS agent: custom CA setting through serverCaCertFile
Java agent: adding the certificate to the JVM trustStore. See APM Server authentication for more details.

We do not recommend disabling APM agent verification of the server’s certificate, but it is possible:

Go agent: ELASTIC_APM_VERIFY_SERVER_CERT
.NET agent: VerifyServerCert
Java agent: verify_server_cert
PHP agent: verify_server_cert
Python agent: verify_server_cert
Ruby agent: verify_server_cert
NodeJS agent: verifyServerCert

Client certificate authentication

edit

APM Server does not require agents to provide a certificate for authentication, and there is no dedicated support for SSL/TLS client certificate authentication in Elastic’s backend agents.

« Secure communication with APM agents API keys »