This page provides an overview of securing agent credentials in AppDynamics.

AppDynamics agents store several types of credential information on disk, including:

  • Controller account access key
  • Controller keystore/agent truststore password
  • Proxy server password

Secure Credential Store

You can use the Secure Credential Store to encrypt credentials in the agent configuration for environments where security policies require secure credentials on disk.

The Secure Credential Store is comprised of two components:

  • scs-tool.jar: A utility to create the secure credential store, encrypt credentials, and obfuscate the credential store password.
  • Secure credential keystore: A keystore for the secret encryption key.

The Secure Credential Store encrypts plain text using the strongest encryption available according to the system's encryption jurisdiction policy.

For the .NET Agent, see Encrypt Credentials in .NET Agent Configuration.

After you set up the Credential Keystore, you must specify the following settings.

For the Analytics Agent:

  • ad.secure.credential.store.filename
  • ad.secure.credential.store.password

See Analytics Agent Rules.

For the Java, Machine, and Database Agents:

  • <controller-ssl-enabled>
  • <controller-keystore-filename>
  • <controller-keystore-password>

See Java Agent Configuration Properties, Machine Agent Properties, and Database Agent Properties.

Initialize the Secure Credential Store 

Before you can encrypt or obfuscate passwords, you must run the Secure Credential Store utility to create the keystore for your secret encryption key. The agent distribution includes the Secure Credential Store utility in the following locations:

  • Java Agent: <javaagent_home>/verX.X.X.X/utils/scs/scs-tool.jar
  • Machine Agent: <machine_agent_home>/lib/secure-credential-store-tool-1.3.0.0.jar
  • Database Agent: <database_agent_home>/lib/scs-tool.jar
  • Analytics Agent: <analytics_agent_home>/bin/tool/scs-tool.jar

Run the Secure Credential Store utility generate_ks command with the following parameters:

  • filename: Absolute path where the utility will create the secure credential keystore. Use this path for <credential-store-filename> in agent configuration.
  • storepass: The secure credential keystore password. Use the obfuscated version of this password as the value for <credential-store-password> in agent configuration.

For example:

/<full path to application JRE>/bin/java -jar ./scs-tool.jar generate_ks -filename '/opt/appdynamics/secretKeyStore' -storepass 'MyCredentialStorePassword'
CODE

The Secure Credential Store utility confirms it created and initialized the keystore:

Successfully created and initialized new KeyStore file: /opt/appdynamics/secretKeyStore
Verification - New KeyStore file: /opt/appdynamics/secretKeyStore is properly initialized.
CODE


Encrypt Passwords

To encrypt passwords using the secure credential store utility, run the encrypt command with the following parameters:

  • filename: Absolute path to the secure credential keystore file.
  • storepass: Password for the secure credential keystore. You can use either a plain-text password or a password that has been obfuscated as described in the following section. 
  • plaintext: Any plain text to encrypt. For instance, account access key or password.

The following example uses a plain-text password—storepass argument—for the secure credential keystore:

/<full path to application JRE>/bin/java -jar ./scs-tool.jar encrypt -filename '/opt/appdynamics/secretKeyStore' -storepass 'MyCredentialStorePassword' -plaintext 'MyAccessKeyOrPassword'
CODE

The same example uses an obfuscated password:

/<full path to application JRE>/bin/java -jar ./scs-tool.jar encrypt -filename '/opt/appdynamics/secretKeyStore' -storepass 's_gsnwR6+LDch8JBf1RamiBoWfMvjjipkrtJMZXAYEkw8=' -plaintext 'MyAccessKeyOrPassword'
CODE

The Secure Credential Store utility writes out an encrypted password for use in agent configuration files:

r9iDWPzHRCNDM1B6KTag4A/cA5B4pouVPkv48ovRm6c=
CODE

Obfuscate the Secure Credential Store Password

In order to access the secret key in the secure credential keystore, the agent needs the obfuscated credential store password.

Run the secure credential store utility obfuscate command with the following parameter:

  • plaintext: The plain text secure credential keystore password.

For example:

/<full path to application JRE>/bin/java -jar /opt/appdynamics/scs-tool.jar obfuscate -plaintext 'MyCredentialStorePassword'
CODE

The Secure Credential Store utility writes out an obfuscated password for use in the <credential-store-password> in agent configuration.

For example:

s_gsnwR6+LDch8JBf1RamiBoWfMvjjipkrtJMZXAYEkw8=
CODE

Encrypt a Plain Text Property

After you obfuscate the Secure Credential Store password, you can encrypt plain text properties.

The following example demonstrates how to encrypt properties in the Analytics Agent:

$ /<full path to application JRE>/bin/java -jar scs-tool.jar encrypt -filename /opt/appdynamics/secretKeyStore -storepass 'Welcome' -plaintext 'MyAccountAccessKey'
CODE

The property generates an encrypted credential:

-001-24-pFoSE/xdPcinkBj9iiKvpQ==Rznx8Kt3sPZHQnKfYyubVuhorrBEbYFtDTPm8c/1kFO+Z2eR2WEHtBRg4vy1GyvJ
CODE

Sample Agent Configuration

The following example demonstrates the agent configuration properties for the Secure Credential Store. For more information, see the agent-specific configuration property documentation.

Java Agent Configuration

<?xml version="1.0" encoding="UTF-8"?>
<controller-info>
	...
    <!-- Encrypted account access key -->
    <account-access-key>r9iDWPzHRCNDM1B6KTag4A/cA5B4pouVPkv48ovRm6c=</account-access-key>
 
    <!-- Encrypted Controller keystore / agent trust store password -->
    <controller-keystore-password>Tw49bd0hdCMBoQ5pfMMuYA/cA5B4pouVPkv48ovRm6c=</controller-keystore-password>
 
    <!-- Enable the Secure Credential Store -->
    <use-encrypted-credentials>true</use-encrypted-credentials>
    
    <!-- Path to they secure credential keystore -->
    <credential-store-filename>/opt/appdynamics/secretKeyStore</credential-store-filename>
 
    <!-- Obfuscated secure credential keystore password -->
    <credential-store-password>n/8GvAZsKk4gM3Z6g+XQ1w==</credential-store-password>
	...
</controller-info>
CODE

Analytics Agent Configuration

ad.credential.store.filename=/opt/appdynamics/secretKeyStore
ad.credential.store.password=s_gsnwR6+LDch8JBf1RamiBoWfMvjjipkrtJMZXAYEkw8=
CODE

Encrypt Data on the Analytics Agent

You can encrypt any data on the Analytics Agent using secure://<your-encrypted-credentials>. You can encrypt data in the Analytics Agent properties file or in System Properties. 

The following example demonstrates how to encrypt http.event.accessKey in the Analytics Agent properties file. 

http.event.accessKey=secure://-001-24-Dr9FQGC179o4vPnuljnx8A==ZGVw/P4OONvpUidIhJ2u78FpRVVW8fbgr8J1HBHXwnE=
ad.secure.credential.store.filename=/opt/appdynamics/secretKeyStore
ad.secure.credential.store.password=s_gsnwR6+LDch8JBf1RamiBoWfMvjjipkrtJMZXAYEkw8=
XML