SSL/TLS is disabled by default. Besides enabling it, you need to provide a certificate and a corresponding private key as well.
The following is a basic APM Server SSL config with secure communication enabled. This will make APM Server serve HTTPS requests instead of HTTP.
apm-server.ssl.enabled: true apm-server.ssl.certificate: "/path/to/apm-server.crt" apm-server.ssl.key: "/path/to/apm-server.key"
A full list of configuration options is available in SSL input settings.
Certificate and private key can be issued by a trusted certificate authority (CA) or self-signed.
When using a self-signed (or custom CA) certificate, communication from APM Agents will require additional settings due to Server certificate authentication
The Elasticsearch distribution offers the
certutil tool for the creation of self-signed certificates:
Create a CA:
./bin/elasticsearch-certutil ca --pem. You’ll be prompted to enter the desired location of the output zip archive containing the certificate and the private key.
- Extract the contents of the CA archive.
Create the self-signed certificate:
./bin/elasticsearch-certutil cert --ca-cert <path-to-ca-crt>/ca.crt --ca-key <path-to-ca-key>/ca.key --pem --name localhost
- Extract the certificate and key from the resulted zip archive.
By default, when SSL is enabled for APM Server inbound communication, agents will verify the identity of the APM Server by authenticating its certificate.
When the APM server uses a certificate that is not chained to a publicly-trusted certificate (e.g. self-signed), additional setting will be required on the agent side:
Go agent: certificate pinning through
Python agent: certificate pinning through
Ruby agent: certificate pinning through
NodeJS agent: custom CA setting through
Java agent: adding the certificate to the JVM
trustStore. See APM Server authentication for more details.
It is not recommended to disable APM Server authentication, however it is possible through agents configuration:
By default, the APM Server does not require agents to provide a certificate for authentication.
This can be changed through the
There is no dedicated support for SSL/TLS client certificate authentication in Elastic’s backend agents, so setting it up may require some additional effort. For example - see Java Agent authentication.
If agents are authenticating themselves using a certificate that cannot be authenticated through known
CAs (e.g. self signed certificates), use the
ssl.certificate_authorities to set a custom CA.
This will automatically modify the
ssl.client_authentication configuration to require authentication.