SSL Configuration Properties

Controller SSL Enabled

If true, specifies that the agent should use SSL (HTTPS) to connect to the Controller. If SSL Enabled is true, set the Controller Port property to the HTTPS port of the Controller. See Controller Port Property.

Element in controller-info.xml: <controller-ssl-enabled>

System Property: -Dappdynamics.controller.ssl.enabled

Environment Variable: APPDYNAMICS_CONTROLLER_SSL_ENABLED

Type: Boolean

Default: False

Required: No

Controller Keystore Password

The plain text value of the Controller certificate password. If Use Encrypted Credentials is true, encrypt the password. See Encrypt Agent Credentials.

Element in controller-info.xml: <controller-keystore-password>

System Property: -Dappdynamics.controller.keystorePassword

Environment Variable: APPDYNAMICS_CONTROLLER_KEYSTORE_PASSWORD

Type: String

Default: None

Required: No

Controller Keystore Filename

By default, the agent looks for a Java truststore file named cacerts.jks in the <agent_home>/<version>/conf directory in the agent home. Use this property to enable full validation of Controller SSL certificates with a different Java truststore file. See Enable SSL for the Java Agent.

Element in controller-info.xml: <controller-keystore-filename>

System Property: -Dappdynamics.controller.keystoreFileName

Environment Variable: APPDYNAMICS_CONTROLLER_KEYSTORE_FILENAME

Type: String

Default: None

Required: No

Force Default SSL Certificate Validation

Used to override the default behavior for SSL validation. The property can have three states:

  • true: Forces the agent to perform full validation of the certificate sent by the controller, enabling the agent to enforce the SSL trust chain. Use this setting when a public certificate authority(CA) signs your Controller SSL certificate. See Enable SSL On-Premises with a Trusted CA Signed Certificate.
  • false: Forces the agent to perform minimal validation of the certificate. This property disables full validation of the Controller's SSL certificate. Use this setting when full validation of a SaaS certificate fails.
  • unspecified: The validation performed by the agent depends on the context:
    • If the agent is connecting to a SaaS controller, full validation is performed.
    • If the agent is connecting to an on-premises Controller and the cacerts.jks file is present, then full validation is performed using the cacerts.jks file.
    • If the agent is connecting to an on-premises Controller, and there is no cacerts.jks file, then minimal validation is performed

System Property: - Dappdynamics.force.default.ssl.certificate.validation

Type: Boolean

Default: None

Required: No

Note: The force default SSL validation property also applies when connecting the Java Agent to the Events Service for Transaction Analytics. See Enable SSL for the Java Agent.

Splunk AppDynamics Agent SSL Protocol

The SSL compatibility table in Agent and Controller Tenant Compatibility lists the default security protocol for the different versions of the Java Agent. If the default security protocol for your version of an agent is incompatible with the Controller or it is incompatible with an intervening proxy, pass the -Dappdynamics.agent.ssl.protocol system property to configure one of these security protocols:

  • SSL
  • TLS
  • TLSv1.2
  • TLSv1.1

System Property: -Dappdynamics.agent.ssl.protocol

Type: String

Default: See Agent and Controller Tenant Compatibility

Required: No

Configure Allowed TLS/SSL Protocols

Agent communication over TLS/SSL causes the agent to initialize the JVM security subsystem, which sets a permitted list of protocols. By default, Splunk AppDynamics excludes SSLv3 and TLSv1protocols due to the known vulnerabilities.

Once the JVM initializes, the list of permitted protocols cannot be changed. If you want to prevent the agent from disabling SSLv3 or TLSv1 protocols, you can configure them to be allowed by naming one (or both, separated by a comma) protocols using this property:

System Property: -Dappdynamics.agent.tls.allowedAlgorithms

Type: String

Default: None

Required: No

This example allows TSLv1.2 to be used by the JVM:

-Dappdynamics.agent.tls.allowedAlgorithms=TLSv1.2
Note: This property is applicable from the 4.5.13 version of Java Agent.

Configure Disabled TLS/SSL Protocols

Agent communication over TLS/SSL causes the agent to initialize the JVM security subsystem, which sets a permitted list of algorithms.

Once the JVM initializes, the list of permitted protocols cannot be changed. If you want to prevent the agent from enabling certain algorithms, you can configure them to be disabled by naming one (or both, separated by a comma) algorithms using this property:

System Property: -Dappdynamics.agent.tls.disabledAlgorithms

Type: String

Default: None

Required: No

JVM: 
-Dappdynamics.agent.tls.disabledAlgorithms=RSASSA-PSS,RSAPSS