Download PDF
Download page Secure the EUM Server.
Secure the EUM Server
If you use HTTPS connections in a production (split host) EUM Server installation, use a custom RSA security certificate for the EUM server. This page describes how to create an RSA security certificate, change the password for the credential keystore, and how to obfuscate a password for the security certificate keystore.
Set Up a Custom Keystore for Production
In demo mode, the EUM Server uses a default self-signed certificate named ssugg.keystore
. This certificate is intended for demonstration and light testing only. Do not use self-signed certificates for production systems since they are less secure than Certificate Authority (CA) signed certificates. EUM requires that certificates use RSA as the key algorithm whether they are self-signed or CA-signed.
For Mobile Real User Monitoring, if you use the default or another self-signed certificate on your EUM Server for testing, you may receive the following error: "The certificate for this server is invalid". Ensure that your self-signed certificate is trusted by the simulator or device you use for testing. In real-world scenarios, a CA signed certificate should be used since a self-signed certificate needs to be explicitly trusted by every device that reports to your EUM processor.
To secure the EUM server with a custom certificate and keystore, generate a new JKS keystore and configure the EUM Server to use it.
The following instructions describe how to create a JKS keystore for the EUM Server with a new key-pair or an existing key-pair. Alternatively, you can also configure the EUM server to use an existing JKS keystore.
The instructions demonstrate the steps with the Linux command line, but the commands are similar to the commands used for Windows. Make sure to adjust the paths for your operating system.
Overview of the Steps
The procedure is made up of three parts:
- Create a new certificate and keystore (1a) or import an existing certificate into a keystore (1b).
- Configure the EUM Server to use the keystore.
- Restart and test the new keystore.
Step 1a: Create a New Certificate and Keystore
At a command prompt, navigate to the
eum-processor
directory:cd <appdynamics_home>/EUM/eum-processor
CODECreate a new keystore with a new unique key pair that uses RSA encryption:
../jre/bin/keytool -genkey -keyalg RSA -validity <validity_in_days> -alias 'eum-processor' -keystore bin/mycustom.keystore
CODEThis creates a new public-private key pair with an alias of
'eum-processor'
. You can use any value you like for the alias.The "first and last name" required during the installation process becomes the common name (CN) of the certificate. Use the name of the server.
- Configure the keystore.
- Specify a password for the keystore. You need to configure this password in the EUM configuration file later.
Generate a certificate signing request (CSR):
../jre/bin/keytool -certreq -keystore bin/mycustom.keystore -file /tmp/eum.csr -alias 'eum-processor'
CODEThis generates a certificate signing request based on the contents of the alias, in the example
'eum-processor'
. You should send the output file (/tmp/eum.csr
, in the example) to a Certificate Authority for signing. After you receive the signed certificate, proceed as follows.Install the certificate for the Certificate Authority used to sign the
.csr
file:../jre/bin/keytool -import -trustcacerts -alias myorg-rootca -keystore bin/mycustom.keystore -file /path/to/CA-cert.txt
CODEThis command imports your CA's root certificate into the keystore and stores it in an alias called
myorg-rootca
.Install the signed server certificate as follows:
../jre/bin/keytool -import -keystore bin/mycustom.keystore -file /path/to/signed-cert.txt -alias 'eum-processor'
CODEThis command imports your signed certificate over the top of the self-signed certificate in the existing alias, in the example,
'eum-processor'
.Import the root certificate from step 6 to the Controller truststore:
keytool -import -trustcacerts -alias <alias_name> -file mycert.cer -keystore <complete_path_to_cacerts.jks>
Step 1b: Import an Existing Certificate into a JKS Keystore
If you have an existing public-private key pair that uses RSA, you must import them into a JKS keystore to use it for EUM.
At a command prompt, navigate to the
eum-processor
directory:cd <appdynamics_home>/EUM/eum-processor
CODEStop the EUM process.
Run the following command:
bin/eum.sh stop
CODEIf there is an existing custom JKS keystore, back it up:
mv <keystore>.jks <keystore>.jks.old
CODEImport the private and public key for your certificate into a PKCS12 keystore:
openssl pkcs12 -inkey <private_key_file> -in <certificate_file> -export -out keystore.p12
CODEConvert the PKCS12 keystore to JKS format:
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore <JKS_keystore> -deststoretype JKS
CODEThis command creates a JKS keystore with the name specified in the
-destkeystore
property.- Specify a password for the keystore. Use this password when you configure EUM to use the new keystore.
Step 2: Configure the EUM Server to Use the New Keystore
Place the new keystore file in the following directory:
<appdynamics_home>/EUM/eum-processor/bin
.Edit the
eum.properties
file in the bin directory.- If the property
processorServer.keyStorePassword
is set, remove or uncomment it. Add the keystore filename as the following property:
processorServer.keyStoreFileName=mycustom.keystore
- Configure the password for the keystore. You can add the password to the file either in plain text or in the obfuscated form:
For a plain text password, add the password as the value for this property:
processorServer.keyStorePassword=mypassword
- For an obfuscated password:
Get the obfuscated password by running the following command in the
eum-processor
directory in a new command terminal:bin/eum-credential-key.<bat|sh> obfuscate -plaintext <newpassword>
- Copy the output of the command to your clipboard.
In
eum.properties
, paste the obfuscated password as the value of thekeyStorePassword
property:processorServer.keyStorePassword=<obfuscated_key>
Add the
useObfuscatedKeyStorePassword
with the value set to true, as shown:processorServer.useObfuscatedKeyStorePassword=true
- Save and close the file.
Step 3: Restart and Test
Restart the EUM Server. From the
eum-processor
directory, run the following commands:bin/eum.sh stop bin/eum.sh start
CODEVerify the new security certificate works by opening the following page in a browser:
https://<hostname>:7002/eumcollector/get-version
CODEIf you get a successful response, the configuration succeeded.
Change the Certificate Keystore Password
The previous steps describe how to create a new keystore which is likely to have a new password. To change the keystore password without creating a new keystore, perform the following steps:
At a command prompt, navigate to the
eum-processor
directory:cd <appdynamics_home>/EUM/eum-processor
CODERun the
keytool
command for creating a new password:../jre/bin/keytool -storepasswd -keystore bin/ssugg.keystore
CODEThe sample command creates the password for the default demo keystore,
ssugg.keystore
. In your command, use the name of your own keystore as the value for-keystore
.Enter the existing password and new password when prompted.
Get the obfuscated key by running the following command in the
eum-proccessor
directory:bin/eum-credential-key.<bat|sh> obfuscate -plaintext <newpassword>
- Copy the output of the previous command to your clipboard.
In the
eum.properties
file in theeum-processor/bin
directory, paste the obfuscated password as the value for thekeyStorePassword
property:processorServer.keyStorePassword=<obfuscated_key>
If you did not previously use an obfuscated password, add the following property:
processorServer.useObfuscatedKeyStorePassword=true
- Save and close the file.
- Restart the EUM Server.
Change the Credential Keystore Password for the EUM Database
When you install the EUM Server, you need to specify a password to use to secure the credential keystore for the EUM Server. After installation, you can change the password for the credential keystore. You may need to do this, for example, to comply with your organization's password rotation policy.
Note that completing these procedures requires a restart of the EUM Server.
To change the existing EUM server credential keystore password:
At a command prompt, navigate to the
eum-processor
directory:cd <appdynamics_home>/EUM/eum-processor
CODE- Generate a credential store with the new key using the following command:
On Linux:
bin/eum-credential-key.sh generate_ks -storepass <new_password>
On Windows:
bin\eum-credential-key.bat generate_ks -storepass <new_password>
bin/credential.scs
. - Reencrypt the database password using the new credential store.
On Linux:
bin/eum-credential-key.sh encrypt -storepass <new_password> -plaintext <DB_password>
On Windows:
bin\eum-credential-key.bat encrypt -storepass <new_password> -plaintext <DB_password>
DB_password
value you entered. - Copy the output from the previous command to your clipboard.
- Open
bin/eum.properties
for editing, and replace the value of theonprem.dbPassword
setting with the new encrypted password you copied to your clipboard. - Obfuscate the new credential key as follows:
On Linux:
bin/eum-credential-key.sh obfuscate -plaintext <new_password>
On Window:
bin\eum-credential-key.bat obfuscate -plaintext <new_password>
- Copy the output of the previous command to your clipboard and in
eum.properties
replace the value ofonprem.credentialKey
with the value from your clipboard. - Save and close the properties file.
Restart the EUM server.
Change the EUM Database Password
At EUM Server installation time, you set a password for the EUM database. You can change it later as follows:
At a command prompt, navigate to the
eum-processor
directory:cd <appdynamics_home>/EUM/eum-processor
CODE- Encrypt the new database password using the credential key which you entered during installation:
On Linux:
bin/eum-credential-key.sh encrypt -storepass <plain_credential_key> -plaintext <New_DB_password>
On Windows:
bin\eum-credential-key.bat encrypt -storepass <plain_credential_key> -plaintext <New_DB_password>
The command prints out the encrypted form of the
DB_password
value you entered.
- Copy the output from the previous command to your clipboard.
- Edit
bin/eum.properties
and replace the value of theonprem.dbPassword
setting with the new encrypted password you copied to your clipboard. - Save and close the properties file.
- Restart the EUM server.