Configuring a default certificate

Edit online
If you use the HTTPS protocol to communicate between the Cloud APM server and the agents, the Cloud APM server allows connections from the resources that authenticate themselves with a valid certificate. You can configure HTTPS communication based on default certificates that are generated during the installation of the Cloud APM server. The default certificates expire 10 years after the Cloud APM server is installed.

Before you begin

During Cloud APM server installation, the local root certificate authority (CA) agent and server certificates that are signed by that local root CA are always generated unless the /opt/ibm/ccm/keyfiles directory exists before starting installation.
  • The local root certificate authority (CA) is established and two keystores are generated. One keystore contains the key that is used by the server and the other keystore contains the keys that are used by the agents.
  • The keys from the keystores are signed by the local root CA. The public key certificates are exchanged between those keystores, for example, the signed server public key is added to the agent keystore and the signed agent public key is added to the server keystore.
  • The Local root CA public key is added to both keystores so that both the agent and the server can trust their certificates.
  • The HTTPS protocol uses Elliptic Curve ciphers that are 256 bits and it conforms to the Suite-B FIPS standard.
  • Ensure that the firewalls or network filtering devices that are located between the Cloud APM server and the monitoring agents enable communication on port 443.

About this task

The following scenarios apply:
  • If you configured the agents during the server installation and set APM_SECURE_COMMUNICATION=y that turns on the HTTPS communication, you do not have to complete any additional steps now to use the HTTPS communication protocol.
  • If you did not configure agents for HTTPS communication when you installed the Cloud APM server, you must reconfigure the agent images to create new configuration packages that use the HTTPS communication protocol. Next, you must use the updated configuration package to re-configure existing agents and to install new agents.

To enable communication between the server and agents by using the default certificates that were generated during the Cloud APM server installation, complete the following steps:

Procedure

  1. To configure the agent images manually, see Configuring the downloaded images. Ensure that you select HTTPS communication when you run the make_configuration_packages.sh script to create the configuration packages.
  2. Copy the ssl <xml> element that contains the enabledCiphers attribute from the install_dir/wlp/usr/servers/min/server.xml file to the install_dir/wlp/usr/servers/min/user-exit.xml file. Then add the following line after the enabledCiphers line in the user-exit.xml file: 
    clientAuthentication="true"
  3. To change the communication protocol for the Agent Central Configuration to https, complete the following steps:
    1. Log in to the Cloud APM console.
    2. Select System Configuration > Advanced Configuration.
    3. Click Agent Central Configuration.
    4. Set the Protocol to include https, and click Save.
  4. When you install new agents, use the agent images that are configured in step 1.
  5. Reconfigure existing agents to use HTTPS by completing the steps in Configuring agents to connect to a different server or to use HTTPS communication.
  6. You must configure the Cloud APM server agents to use HTTPS and certificates. See Configuring the communications protocol for server agents for instructions.