This documentation refers to configuring the standalone (legacy) APM Server. This method of running APM Server will be deprecated and removed in a future release. Please consider upgrading to Fleet and the APM integration.
You can specify Kerberos options with any output or input that supports Kerberos, like Elasticsearch.
The following encryption types are supported:
Example output config with Kerberos password based authentication:
output.elasticsearch.hosts: ["http://my-elasticsearch.elastic.co:9200"] output.elasticsearch.kerberos.auth_type: password output.elasticsearch.kerberos.username: "elastic" output.elasticsearch.kerberos.password: "changeme" output.elasticsearch.kerberos.config_path: "/etc/krb5.conf" output.elasticsearch.kerberos.realm: "ELASTIC.CO"
The service principal name for the Elasticsearch instance is constructed from these options. Based on this configuration
it is going to be
You can specify the following options in the
kerberos section of the
apm-server.yml config file:
enabled setting can be used to enable the
kerberos configuration by setting
false. The default value is
Kerberos settings are disabled if either
enabled is set to
false or the
kerberos section is missing.
There are two options to authenticate with Kerberos KDC:
password expects the principal name and its password. When choosing
have to specify a principal name and a path to a keytab. The keytab must contain
the keys of the selected principal. Otherwise, authentication will fail.
You need to set the path to the
krb5.conf, so +apm-server can find the Kerberos KDC to
retrieve a ticket.
Name of the principal used to connect to the output.
If you configured
auth_type, you have to provide a password
for the selected principal.
If you configured
auth_type, you have to provide the path to the
keytab of the selected principal.
This option can only be configured for Kafka. It is the name of the Kafka service, usually
Name of the realm where the output resides.