Securing APM Serveredit

The following topics provide information about securing the APM Server process and securing communication between APM Server and other products in the Elastic stack:

Security Overviewedit

APM Server exposes an HTTP endpoint and as with anything that opens ports on your servers, you should be careful about who can connect to it. Firewall rules are recommended to ensure only authorized systems can connect.

Secret tokenedit

You can configure a secret token to authorize requests to the APM Server, and ensure that only your agents can send data to your APM servers. Both the agents and the APM servers have to be configured with the same secret token.

Note

Secret tokens provide security only when used in combination with SSL/TLS. Secret tokens are not applicable for RUM, as they would be publicly exposed.

SSL/TLS setupedit

To enable SSL/TLS you need a private key and a certificate issued by a certification authority (CA). Then you can specify the path to those files in the configuration properties apm-server.ssl.key and apm-server.ssl.certificate respectively. This will make the APM Server to serve HTTPS requests instead of HTTP. Hence, you also need to enable SSL in the agent. For agent specific details, please check the agent documentation for how to do it.