SSL or TLS Settings
Change your APM Command Center TLS settings depending on the level of security that you require.
Change your APM Command Center TLS settings depending on the level of security that you require. APM Command Center supports only TLS 1.2. Older versions of TLS and SSL are unsupported. By default, APM Command Center enables both the HTTP and HTTPS protocols. When both protocols are enabled, the browser redirects HTTP URLs to HTTPS automatically. The browser does not use HTTP for further communication.
When the keystore files are missing, the Configuration Server generates and saves the keystore with a new and unique self-signed certificate in the
For more security, replace the generated keystore for the Configuration Server with one that is signed by a trusted certificate authority. The self-signed certificate is not trusted by any certification authority.
Because the self-signed certificate is not trusted, the browser displays a security-certificate warning when you access APM Command Center. To prevent this warning, select one of the following options:
- Replace the self-signed certificate with one of your own that is signed by a trusted authority
- (Windows only) Import the self-signed certificate into the local certificate store
- Configure APM Command Center to use the HTTP protocol (not recommended)
Default Settings for the Keystore
The Configuration Server generates the keystore according to the values of the
javax.net.ssl.aliasproperties in the
APMCommandCenterServer\config\apmccsrv.propertiesfile. By default, if you have one key, that key is used. If multiple keys are in the keystore, you must specify the key that you want to use through the alias. The
server.pemcertificate files are created for your convenience. Use the
server.pemfiles to enable the use of trusted connections in the browser. Use the
default.truststoreto set up up the truststore on the ACC Controller when the ActiveMQ connection is configured with HTTPS protocol.
Use either the default values or modify them, as mandated by your internal security guidelines.
Default password for default.truststore:
Generate a New Keystore with a Self-Signed Certificate
Generate a new SSL keystore with a self-signed certificate. This process includes obtaining a private key, a public key, and a subject identification (such as a DNS name), with the self-signature. This step is useful when your old certificate expired or when the
hostnameor DNS domain changed.
Follow these steps:
- Go to theAPMCommandCenterServer\config\securityfolder.
- Delete the following existing key files:
- Restart the Configuration Server.A new keystore generates.When you log in to APM Command Center, you receive a warning that the browser does not trust the new self-signed certificate.
Import a Self-Signed Certificate in Windows
Import the self-signed certificate to prevent the security certificate warning in your browser.
Follow these steps:
- Copy theAPMCommandCenter/config/security/server.crtcertificate that the Configuration Server automatically generates to the client machine.
- (Optional) On the Windows client machine, open the APM Command Center UI in Internet Explorer.
- To save the certificate, right-click the certificate warning in the address bar.
- Double-click theserver.crtfile that the Configuration Server automatically generates.
- In the dialog that opens, clickInstall Certificate.
- (Optional) In the next dialog, selectLocal Machineas the Store Location.
- In the next dialog, selectPlace all certificates in the following storeand browse for theTrusted Root Certification Authoritiesstore.
Set up Certificates Trusted by a Certificate Authority
To generate a new keystore manually, see the Java Keytool and OpenSSL utilities and then point the Configuration Server to the new keystore. The password of the keystore and that of the certificate must be identical. For maximum security, replace the generated keystore for the Configuration Server with one that is signed by a Trusted Certificate Authority. For more information about ActiveMQ communication, see Enable ActiveMQ Secure Communication.
The following steps vary with different certificate authorities.
Follow these steps:
- Generate a keystore pair (RSA public and private key) into a Java Keystore (JKS) file.Example:keytool -genkeypair -alias server -dname cn=serverhostname.example.com -ext "san=dns:serverhostname.example.com" -validity 3650 -keyalg RSA -keysize 2048 -keystore server.jks -keypass changeit -storepass changeit
- Create a certificate-signing request with the output of Step 1.Example:Create a fileserver.csrthat contains an RFC 1421 Security Certificate Signing Request:keytool -certreq -keystore server.jks -storepass changeit -alias server -file server.csr -ext "san=dns:serverhostname.example.com"
- Send the certificate-signing request to the certificate authority of your choice.
- After verification, the certificate authority sends a signed certificate that contains your public key.This certificate can contain a single-signed chain link between your certificate and the root certificate of that authority or multiple links (due to middle certificate authorities).
- Import the root certificate of the certificate authority to your keystore. Next, import the signed certificate for your server to complete the chain.Example:You received a
file from the certificate-authority in response to your certificate signing request (sign.crt
in the example in Step 2). You must have aserver.csr
file that contains the root certificate of the certificate authority. Both files are inca.crt
format.DERkeytool -importcert -trustcacerts -alias ca -file ca.crt -keystore server.jks -storepass changeit -nopromptkeytool -importcert -v -alias server -keystore server.jks -keypass changeit -storepass changeit -file sign.crt
- If you are working with a certificate authority that is not publicly trusted, create a truststore with the certificate authority certificate.Example:In this example, the certificate authority is not publicly trusted. So the authority is not in the default Java truststore. For example, the authority is a nonpublic company-wide certificate authority.keytool -importcert -trustcacerts -noprompt -alias ca -keystore truststore.jks -keypass changeit -storepass changeit -file ca.crt
- If you use a certificate authority that is not publicly trusted, import its root certificate into the browser to set up the trust.
- Set the configuration in theAPMCommandCenterServer\config\apmccsrv.propertiesfile to point to the new files.Example:(Use forward slashes as the directory separator on both Linux and Windows)javax.net.ssl.keyStore=c:/APMCommandCenterServer/config/security/server.jksjavax.net.ssl.keyStorePassword=changeit
- Start the APM Command Center Configuration Server.
- Verify that your browser can access the certificate without showing a warning.
- Configure the Controllers to trust the non-publicly trusted certificate authority. This step applies under the following two conditions:
- The Controllers use HTTPS for the ActiveMQ connection.
- The default Java truststore does not trust the certificate authority.
- Create the truststore.Example:Create a truststore according to the certificate authority certificate.keytool -importcert -trustcacerts -noprompt -alias ca -keystore truststore.jks -keypass changeit -storepass changeit -file ca.crt
- Configure the truststore location and password in the Controller configuration file:APMCommandCenterController\config\apmccctrl.propertiesExample:(Use forward slashes as directory separators on both Linux and Windows)configurationServer.trustStore=c:/path/to/truststore.jksconfigurationServer.trustStorePassword=changeit
- Restart the Controllers.
Default HTTP and HTTPS Settings
By default, APM Command Center enables both the HTTP and HTTPS protocols. When both protocols are enabled, the browser redirects HTTP URLs to HTTPS automatically. The browser does not use HTTP for further communication. Disable HTTP entirely to increase browser security.
HTTPS responses include an HTTPS Strict-Transport-Security(HSTS) header with a one-year expiration. If you connect with a trusted certificate, the browser remembers the HSTS header. When the browser accepts the HSTS header, the browser automatically redirects an HTTP URL to HTTPS for all subsequent requests. The HSTS header prevents an HTTPS URL with a certificate-authority certificate from switching to either an HTTPS self-signed certificate or to plain HTTP.
If you connect with a self-signed certificate, the browser does not trust this type of certificate and you see a warning. To prevent the security certificate warning when you access the browser, switch to HTTP and disable HTTPS.
We do not recommend that you disable HTTPS because this action weakens your security.
Switch to HTTP
You may need to integrate with some tools that only support TLS versions older than 1.2 or have a problem with setting up certificates. We recommend that you upgrade these tools to versions that support TLS 1.2 and to set up certificates properly. For more information, see Set up Certificates Trusted by a Certificate Authority.
Using HTTPS is the best practice and our recommendation. We do not recommend that you turn off secure connections by switching to HTTP.
Switch to HTTP if your requirements demand it.
Follow these steps:
- Go to theapmccsrv.propertiesfile.
- Set thewebserver.https.enableproperty tofalse.
- Restart the Configuration Server.
- Clear the Web browser cache.
- Connect to APM Command Center using the default HTTP port.Default:8088
Disable HTTP Port
Disable the HTTP redirect to HTTPS entirely if your internal security guidelines mandate it. After you disable the HTTP port, users who attempt to access the URL by HTTP receive an error message in the browser. Users must use the HTTPS URL directly.
Default HTTPS Port:8443
Follow these steps:
- Go to theAPMCommandCenterServer\config\apmccsrv.propertiesfile.
- Locate the
- Set the property to
- Restart APM Command Center.
You disabled the HTTP port.