マシンエージェントの SSL の有効化

Related pages:

このページでは、SSL を使用してコントローラに接続するようにマシンエージェントを設定する方法について説明します。SaaS コントローラを使用しているか、SSL を使用するようにオンプレミスコントローラを設定していることを前提としています。

マシンエージェントは、SSL モード時の SSL 信頼チェーンの拡張および強制実行をサポートしています。

Plan SSL Configuration

Gather this information:

  • The Controller SSL port:
    • For SaaS Controllers: SSL port is 443
    • For on-premises Controllers: Default SSL port is 8181, but you may configure the Controller to listen for SSL on another port
  • The signature method for the Controller's SSL certificate:
    • A publicly known certificate authority (CA) signed the certificate. This applies for DigiCert, Verisign, Thawte, and other commercial CAs.
    • A CA internal to your organization signed the certificate. Some companies maintain internal certificate authorities to manage trust and encryption within their domain.
    • The Controller uses a self-signed certificate.

Establish Trust for the Controller's SSL Certificate

To establish trust between the Machine Agent and the Splunk AppDynamics Controller, you must create an agent truststore that contains the root certificate for the authority that signed the Controller's certificate.

  1. Obtain the root certificate for the authority that signed the certificate for the Controller.
    1. For SaaS Controller deployments only: You can download the DigiCert root certificates from https://www.digicert.com/digicert-root-certificates.htm and the IdenTrust root certificate from https://www.identrust.com/identrust-commercial-root-ca-1. Ensure to include at least the following certificates:
      • DigiCert Global Root CA
      • DigiCert Global Root G2
      • DigiCert Global Root G3
      • IdenTrust Commercial Root CA 1
    2. For on-premises Controller deployments: Obtain one of the following root certificates:
      • The root certificate for the publicly known certificate authority (CA) that signed the certificate for your on-premises Controller.
      • The root certificate for the internal CA that signed the Controller certificate for your on-premises Controller.
  2. Run the Java keytool command to create the Agent truststore: 
    keytool -import -alias rootCA -file <root_certificate_file_name> -keystore cacerts.jks -storepass <truststore_password>
    For example: 
    keytool -import -alias rootCA -file /usr/home/appdynamics/DigicertGlobalRootCA.pem -keystore cacerts.jks -storepass MySecurePassnword
    注: Note the truststore password; you will need this later to configure the Machine Agent.
  3. Install the Agent truststore to the Agent configuration directory: 
    <machine_agent_home>/conf/

Secure the Machine Agent Truststore

We recommend you take the following security measures to prevent tampering with the Machine Agent truststore:

  • Secure the truststore file through filesystem permissions:

    • Make the Agent truststore readable by any user

    • Make the truststore owned by a privileged user

    • Make the truststore writable only by the specified privileged user

  • Secure the controller-info configuration file so that it is only readable by the Agent runtime user and only writable by a privileged user:

    <machine_agent_home>/conf/controller-info.xml

Enable SSL for the Machine Agent

  1. Configure the following system properties in the controller-info.xml: <machine_agent_home>/conf/controller-info.xml. See Machine Agent Configuration Properties for full details on each property.

    • Controller Host: Should be the same as either the Common Name or the Subject Alternative Name (SAN) in the certificate configured for the Controller.

      <controller-host>common_name_in_certificate.com</controller-host>

    • Controller Port: The SSL port for the Controller. It is 443 for Splunk AppDynamics SaaS .

      <controller-port>443</controller-port>

    • Controller SSL Enabled: true

      <controller-ssl-enabled>true</controller-ssl-enabled>

    • Controller SSL Password: The plain text password for the Agent truststore.

      <controller-keystore-password>MySecurePassword</controller-keystore-password>

      If you have enabled the Secure Credential Store, encrypt the password you enter here. See Encrypt Agent Credentials.

    • Controller Keystore Filename: The path of the Agent truststore relative to <machine_agent home>/conf. This is required if you use a truststore other than the default <machine_agent_home>/conf/cacerts.jks.

      <controller-keystore-filename>../conf/cacerts.jks</controller-keystore-filename>

      注: You can specify the Controller port and enable SSL for the Controller in the Machine Agent startup script, but you must specify the truststore password and filename in the controller-info.xml file.
      警告:

      In JDK >= 9 (either JRE bundled with Machine Agent or a standalone JDK/JRE), the default keystore type in the java.security file has been changed from JKS to PKCS12.

      If a JKS truststore is used and the <controller-keystore-password> is not provided, the agent will use the JKS truststore. If a PKCS12 truststore is used and the <controller-keystore-password> is not provided, the agent will not use the PKCS12 truststore.

      If you are using a PKCS12 truststore, we recommend that that you provide the <controller-keystore-password>. If you still want to work with a JKS-based truststore, you can convert a PKCS12 truststore to JKS format.

  2. Restart the Machine Agent.
Sample controller-info.xml with SSL and Secure Credential Store Encryption Enabled 
<?xml version="1.0" encoding="UTF-8"?>
<controller-info>
<controller-host>mycompany.saas.appdynamics.com</controller-host>
<controller-port>443</controller-port>
<controller-ssl-enabled>true</controller-ssl-enabled>
<!-- Encrypted Controller keystore / agent trust store password -->
<controller-keystore-password>Tw49bd0hdCMBoQ5pfMMuYA/cA5B4pouVPkv48ovRm6c=</controller-keystore-password>
<controller-keystore-filename>../../conf/cacerts.jks</controller-keystore-filename>
...
<!-- Secure Credential Store configuration -->
<!-- Enable the Secure Credential Store -->
<use-encrypted-credentials>true</use-encrypted-credentials>
<!-- Path to they secure credential keystore -->
<credential-store-filename>/opt/appdynamics/secretKeyStore</credential-store-filename>
<!-- Obfuscated secure credential keystore password -->
<credential-store-password>n/8GvAZsKk4gM3Z6g+XQ1w==</credential-store-password>
</controller-info>

Keystore証明書抽出ユーティリティ

キーストア証明書抽出ユーティリティは、コントローラの Java キーストアから証明書をエクスポートして、エージェントトラストストアに書き込みます。コントローラのエージェント ディストリビューションでこのユーティリティを実行できます。

<controller_home>/appserver/glassfish/domains/domain1/appagent
  1. kr.jar を実行し、次のパラメータを含めます。

    • コントローラのKeystoreへの完全なパス

      <controller_home>/appserver/glassfish/domains/domain1/config/keystore.jks
    • トラストストア出力ファイル名。デフォルトでは、マシンエージェントは cacerts.jks を検索します。

    • コントローラの証明書のパスワード(デフォルトで「changeit」)。パスワードを含めない場合、エクストラクタはパスワード "changeit" を出力されたトラストストアに適用します。

      java -jar kr.jar <controller_home>/appserver/glassfish/domains/domain1/config/keystore.jks cacerts.jks <controller_certificate_password>
  2. エージェントのトラストストアをエージェント構成ディレクトリにインストールします。 
    <machine_agent_home>/conf/