SSL/TLS communication
editSSL/TLS communication
editThis documentation refers to configuring the standalone (legacy) APM Server. This method of running APM Server will be deprecated and removed in a future release. Please consider upgrading to Fleet and the APM integration. If you’ve already upgraded, see APM agent TLS communication.
SSL/TLS is disabled by default. Besides enabling it, you need to provide a certificate and a corresponding private key as well.
The following is a basic APM Server SSL config with secure communication enabled. This will make APM Server serve HTTPS requests instead of HTTP.
apm-server.ssl.enabled: true apm-server.ssl.certificate: "/path/to/apm-server.crt" apm-server.ssl.key: "/path/to/apm-server.key"
A full list of configuration options is available in SSL input settings.
Certificate and private key can be issued by a trusted certificate authority (CA) or self-signed.
When using a self-signed (or custom CA) certificate, communication from APM Agents will require additional settings due to Server certificate authentication
Creating a self-signed certificate
editThe Elasticsearch distribution offers the certutil
tool for the creation of self-signed certificates:
-
Create a CA:
./bin/elasticsearch-certutil ca --pem
. You’ll be prompted to enter the desired location of the output zip archive containing the certificate and the private key. - Extract the contents of the CA archive.
-
Create the self-signed certificate:
./bin/elasticsearch-certutil cert --ca-cert <path-to-ca-crt>/ca.crt --ca-key <path-to-ca-key>/ca.key --pem --name localhost
- Extract the certificate and key from the resulted zip archive.
Server certificate authentication
editBy default, when SSL is enabled for APM Server inbound communication, agents will verify the identity of the APM Server by authenticating its certificate.
When the APM server uses a certificate that is not chained to a publicly-trusted certificate (e.g. self-signed), additional setting will be required on the agent side:
-
Go agent: certificate pinning through
ELASTIC_APM_SERVER_CERT
-
Python agent: certificate pinning through
server_cert
-
Ruby agent: certificate pinning through
server_ca_cert
-
.NET agent:
ServerCert
-
Node.js agent: custom CA setting through
serverCaCertFile
-
Java agent: adding the certificate to the JVM
trustStore
. See APM Server authentication for more details.
It is not recommended to disable APM Server authentication, however it is possible through agents configuration:
-
Go agent:
ELASTIC_APM_VERIFY_SERVER_CERT
-
.NET agent:
VerifyServerCert
-
Java agent:
verify_server_cert
-
PHP agent:
verify_server_cert
-
Python agent:
verify_server_cert
-
Ruby agent:
verify_server_cert
-
Node.js agent:
verifyServerCert
Client certificate authentication
editBy default, the APM Server does not require agents to provide a certificate for authentication.
This can be changed through the ssl.client_authentication
configuration.
There is no dedicated support for SSL/TLS client certificate authentication in Elastic’s backend agents, so setting it up may require some additional effort. For example - see Java Agent authentication.
If agents are authenticating themselves using a certificate that cannot be authenticated through known
CAs (e.g. self signed certificates), use the ssl.certificate_authorities
to set a custom CA.
This will automatically modify the ssl.client_authentication
configuration to require authentication.