Configuring a default certificate
If you use the HTTPS protocol to communicate between the Cloud
APM server and the agents, the Cloud
APM server allows connections from the resources that
authenticate themselves with a valid certificate. You can configure HTTPS communication based on
default certificates that are generated during the installation of the Cloud
APM server.
The
default certificates expire 10 years after the Cloud
APM server is installed.
Before you begin
During Cloud
APM server installation, the local root
certificate authority (CA) agent and server certificates that are signed by that local root CA are
always generated unless the /opt/ibm/ccm/keyfiles directory exists before
starting installation.
- The local root certificate authority (CA) is established and two keystores are generated. One keystore contains the key that is used by the server and the other keystore contains the keys that are used by the agents.
- The keys from the keystores are signed by the local root CA. The public key certificates are exchanged between those keystores, for example, the signed server public key is added to the agent keystore and the signed agent public key is added to the server keystore.
- The Local root CA public key is added to both keystores so that both the agent and the server can trust their certificates.
- The HTTPS protocol uses Elliptic Curve ciphers that are 256 bits and it conforms to the Suite-B FIPS standard.
- Ensure that the firewalls or network filtering devices that are located between the Cloud APM server and the monitoring agents enable communication on port 443.
About this task
- If you configured the agents during the server installation and set APM_SECURE_COMMUNICATION=y that turns on the HTTPS communication, you do not have to complete any additional steps now to use the HTTPS communication protocol.
- If you did not configure agents for HTTPS communication when you installed the Cloud APM server, you must reconfigure the agent images to create new configuration packages that use the HTTPS communication protocol. Next, you must use the updated configuration package to re-configure existing agents and to install new agents.
To enable communication between the server and agents by using the default certificates that were generated during the Cloud APM server installation, complete the following steps: