This topic describes how to configure the AppDynamics Analytics Agent to connect to your app server agents using SSL. 

  1. Run the keytool command to create a new key pair for the Analytics Agent in the keystore. Refer to the Oracle documentation for more details on using keytool. The following command creates a keystore if it doesn't exist and generates the public/private key pair:

    keytool -genkeypair -alias analytics-agent -keystore aa-keystore.jks -validity 1825

    Follow the on-screen instructions to configure the certificate. This generates a self-signed certificate in the keystore. The next step generates a signing request for the certificate. Note the following:

    1. For the first and last name, enter the domain name where the Analytics Agent is running.
      The domain name used in the property must match the Common Name (CN) of the certificate used by the Analytics Agent. For example, if the URL was https://localhost:9090/v2/sinks/bt then the CN of the certificate should be localhost. If the names don't match then the client marks the certificate as invalid and the HTTPS connection is not established”.
    2. Enter a secure password for the key.
      This command creates a key pair with a validity of 1825 days (5 years). Replace 1825 with the validity period appropriate for your environment.
  2. Generate a certificate signing request for the certificate you created as follows:

    keytool -certreq -alias analytics-agent -keystore aa-keystore.jks -file AppDynamics.csr
  3. Submit the certificate signing request file generated by the command (AppDynamics.csr in the example command) to your Certificate Authority (CA) of choice.

  4. When it's ready, the CA returns the signed certificate and any root and intermediary certificates required for the trust chain. The response from the CA should include any special instructions for importing the certificate if needed. If the CA supplies the certificate in text format, copy and paste the text into a text file.
  5. Import the signed certificate:

    keytool -import -trustcacerts -alias analytics-agent -file mycert.cer -keystore aa-keystore.jks

    This command assumes the certificate is located in a file named mycert.cer.

  6. If you see the error "Failed to establish chain from reply", install the issuing CA's root and any intermediate certificates into the keystore. The root CA chain establishes the validity of the CA signature on your certificate. Although most common root CA chains are included in the bundled JVM's trust store, you may need to import additional root certificates, such as certificates belonging to a private CA. To do so:

    keytool -import -alias [Any_alias] -file <path_to_root_or_intermediate_cert> -keystore <controller_home>/appserver/glassfish/domains/domain1/config/aa-keystore.jks
  7. When done importing the certificate chain, try importing the signed certificate again.

  8. Update the following properties in the file:
    1. ad.dw.https.enabled=true to enable the HTTPS connector on the Analytics Agent. The HTTPS connection is exposed on the port defined by the ad.dw.http.port property.
    2. ad.dw.https.keyStorePath= absolute path to the Java keystore that contains the Analytics Agent public and private key.
    3. ad.dw.https.keyStorePassword= Java keystore password.
    4. ad.dw.https.trustStorePath=absolute path to the truststore that establishes the chain of trust for the Analytics Agent public key certificate.
    5. ad.dw.https.trustStorePassword=the truststore password.
    6. ad.dw.https.certAlias= alias of the public key certificate stored in the Java Key Store.
  9. Start the Analytics Agent. 
    The HTTPS connection should now be exposed.
  10. Confirm that the app server agent is configured to trust the Analytics Agent certificate. See the section "Enable SSL between the Java Agent and the Analytics Agent" in the Enable SSL for the Java Agent topic.