Mutual TLS is a mutual authentication method that encrypts the traffic between the client and the server by authenticating each other using their public-private key pair. 

In AppDynamics Controller, you can enable Mutual TLS to authenticate the Controller with third-party applications such as Slack, PagerDuty, and ServiceNow. This mutual authentication verifies that the alerts (HTTP request actions) sent to the third-party applications are from AppDynamics and not from a malicious entity.

Configuring mutual TLS authentication involves the following steps:

  1. Generate a Certificate Signing Request (CSR) for your TLS certificate
  2. Get the CSR signed from a Certificate Authority and upload the signed TLS certificate
  3. Enable mutual TLS authentication in HTTP request actions

By default, the Mutual TLS Configuration feature is only available in the AppDynamics Controller Tenant UI with the Account Owner role. You can also create a custom role and enable this feature. For more information about the roles, see Manage Custom Roles.

Generate a Certificate Signing Request

To configure mutual TLS authentication, you need to first generate a certificate signing request (CSR) to get your TLS certificate:

  1. In the AppDynamics Controller Tenant UI, click Alert & Respond > Mutual TLS Configuration.
  2. Click + New Certificate Signing Request (CSR).
  3. Enter the following details:
    1. Organization (Optional). The legal name of your organization.
    2. Department (Optional). The name of your department handling the certificate.
    3. Country. Select the country where your organization is located. By default, the country selected is the United States. Note that this field is mandatory and can’t be left blank.
    4. State (Optional). The name of the state where your organization is located.
    5. City (Optional). The name of the city where your organization is located.
  4. Click Generate CSR
  5. Click Download CSR to download the .csr file. Note that you can also copy the content and save as a .csr file.

When you generate a CSR, AppDynamics creates a public- private key pair. The public key is available with the CSR and the private key resides with AppDynamics in a secure key store.

Sign the CSR and Upload the Signed TLS Certificate

After downloading the CSR file, you must get it signed from a certificate authority (CA) of your choice. Click Upload New Client Certificate to upload the signed TLS certificate on your AppDynamics Controller. You can either directly upload the signed TLS certificate (.pem file) or copy and upload the Base64 encoded text from the TLS certificate.

Notes: 

Before uploading a new TLS certificate, ensure the following points are met:

  • The certificate must be either in the .pem or .crt format.
  • The certificate encoding scheme must be Base64.
  • The certificate must have a valid expiry date.
  • The certificate must be a client certificate.
  • The certificate must match with the corresponding CSR.

View the TLS Certificate

Click Alert & Respond > Mutual TLS Configuration to view the uploaded TLS certificate. You can also click Download Certificate to download the .pem file.

If you have generated a CSR that is not yet used, you can view and download the unused CSR.

Enable Mutual TLS in HTTP Request Actions

After uploading the TLS certificate, you can enable the mutual TLS authentication for HTTP request actions. AppDynamics fetches the TLS certificate and attaches it with the HTTP request actions (alerts). On third-party endpoints that are configured to receive alerts from AppDynamics, the certificate helps to verify that the alerts are from AppDynamics.

To enable the mutual TLS authentication:

  1. Click Alert & Respond > HTTP Request Templates.
  2. Do one of the following:

  3. In the Authentication section, select the Also Turn on Mutual TLS option.

    This option is enabled only if you have uploaded a TLS certificate.

  4. Click Save.