Secret token
editSecret token
editThis documentation refers to configuring the standalone (legacy) APM Server. This method of running APM Server will be deprecated and removed in a future release. Please consider upgrading to Fleet and the APM integration. If you’ve already upgraded, see Secret token.
You can configure a secret token to authorize requests to the APM Server. This ensures that only your agents are able to send data to your APM servers. Both the agents and the APM servers have to be configured with the same secret token.
Secret tokens are sent as plain-text, so they only provide security when used in combination with SSL/TLS.
To secure the communication between APM agents and the APM Server with a secret token:
- Make sure SSL/TLS is enabled
- Set a secret token in your agents and Server
- Enable HTTPS in your APM agents
Secret tokens are not applicable for the RUM Agent, as there is no way to prevent them from being publicly exposed.
Set a secret token
editAPM Server configuration
Elasticsearch Service and Elastic Cloud Enterprise deployments provision a secret token when the deployment is created. The secret token can be found and reset in the Elastic Cloud console under Deployments — APM & Fleet.
Here’s how you set the secret token in APM Server:
apm-server.auth.secret_token: <secret-token>
We recommend saving the token in the APM Server Secrets keystore.
Secret tokens are not applicable for the RUM agent, as there is no way to prevent them from being publicly exposed.
Agent specific configuration
Each Agent has a configuration for setting the value of the secret token:
-
Go agent:
ELASTIC_APM_SECRET_TOKEN
-
iOS agent:
secretToken
-
Java agent:
secret_token
-
.NET agent:
ELASTIC_APM_SECRET_TOKEN
-
Node.js agent:
Secret Token
-
PHP agent:
secret_token
-
Python agent:
secret_token
-
Ruby agent:
secret_token
HTTPS communication in APM agents
editTo enable secure communication in your agents, you need to update the configured server URL to use HTTPS
instead of HTTP
.
-
Go agent:
ELASTIC_APM_SERVER_URL
-
Java agent:
server_urls
-
.NET agent:
ServerUrl
-
Node.js agent:
serverUrl
-
PHP agent:
server_url
-
Python agent:
server_url
-
Ruby agent:
server_url
Some agents also allow you to specify a custom certificate authority for connecting to APM Server.
-
Go agent: certificate pinning through
ELASTIC_APM_SERVER_CERT
-
Python agent: certificate pinning through
server_cert
-
Ruby agent: certificate pinning through
server_ca_cert
-
.NET agent:
ServerCert
-
NodeJS agent: custom CA setting through
serverCaCertFile
-
Java agent: adding the certificate to the JVM
trustStore
. See APM Server authentication for more details.
Agents that don’t allow you specify a custom certificate will allow you to disable verification of the SSL certificate. This ensures encryption, but does not verify that you are sending data to the correct APM Server.
-
Go agent:
ELASTIC_APM_VERIFY_SERVER_CERT
-
.NET agent:
VerifyServerCert
-
Java agent:
verify_server_cert
-
PHP agent:
verify_server_cert
-
Python agent:
verify_server_cert
-
Ruby agent:
verify_server_cert
-
NodeJS agent:
verifyServerCert