.NET Agent SSL Support
When a .NET Agent establishes a secure (SSL) connection with a Controller, the .NET Agent uses a default mechanism embedded in the .NET framework to verify a Controller (server) certificate which relies on the local Trust Store. As a result, the Controller certificate must be signed by one of the publicly trusted authorities.
Therefore, if the Controller uses:
- a self-signed certificate, or
- a certificate signed by a custom authority
Then the SSL connection cannot be established until:
- a self-signed certificate, or
- a custom authority are manually added to the local Trust Store.
If you do not want to manually add a certificate to the local Trust Store, you can configure the .NET Agent to consume the Controller custom trusted certificate and establish a secured connection automatically.
Limitations
Custom trusted certificate validation is supported with these noted limitations for the .NET runtimes:
- .NET Core >= 2.0
- .NET Framework >= 4.7.2
- .NET Standard >= 2.1
If you reach a runtime limitation, then you can either:
- Upgrade the .NET runtime to a supported version, or
- Add a Controller custom certificate to the local Trust Store, disable the feature, and then continue using the SSL connection to a Controller based on the default validation mechanism.
Supported Configurations
You can configure the Controller Custom Trusted Certificates by providing either a:
- Path to one certificate file: A file may contain one, or multiple valid certificates, in one of these formats:
- Base-64 Encoded X.509 (.cer)
- DER Encoded Binary X.509 (.cer)
- PKCS 7 (.p7b)
- PKCS 12 (.pfx)
Or
- Folder containing multiple certificate files: A folder may contain several files with one or multiple certificates inside; and the folder may contain subfolders. There is no limitation on the structure except that all files in the folder must contain valid certificates; if one file is not a valid certificate, then all of them are ignored.
Select only one of these configurations. If you configure both a certificate file and a certificate folder, then a warning displays alerting you that only the certificate file will be used in the configuration.
Standalone Windows Agent Configuration
Configure the config.json file:
{
"controller": {
"certfile": "C:\certs\certificate.crt",
"certdir": "C:\certs\",
}
}Environment Variables Used for Standalone Windows Agent
Using the command line, set these environment variables to override the config.json file:
APPDYNAMICS_CONTROLLER_SSL_CERTFILE=C:\certs\certificate.crt
APPDYNAMICS_CONTROLLER_SSL_CERTDIR=C:\certs\Agent MSI Agent Configuration
Configure the config.json file without overriding the environment variables:
<appdynamics-agent xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<controller ssl-certificate-file = "C:\certs\certificate.crt" ssl-certificate-directory = "C:\certs\" >
...
</controller>
...
</appdynamics-agent>Parity Difference with Linux .NET Agent <=20.11.x
These are the existing parity differences with Linux .NET Agent <= 20.11.x:
- Certificate files formats are extended.
- Multiple certificates are supported in files.
- There is no name constraint for the files.
- There is no constraint on the folder structure.
- Full framework is supported.
- You are not required to provide a full chain of the Controller certificates. You can configure the .NET Agent trust using an end leaf certificate, or just a custom authority certificate, or both; whichever is convenient.