This page applies to an earlier version of the AppDynamics App IQ Platform.
See the latest version of the documentation.

Skip to end of metadata
Go to start of metadata

This topic describes how to configure the AppDynamics Standalone Machine Agent to connect to the Controller using SSL. It assumes that you use a SaaS Controller or have configured the on-premise Controller to use SSL. See Controller SSL and Certificates.

The Standalone Machine Agent supports extending and enforcing the SSL trust chain when in SSL mode.

Plan SSL Configuration

Gather the following information:

  • The Controller SSL port.
    • For SaaS Controllers the SSL port is 443.
    • For on-premise Controllers the default SSL port is 8181, but you may configure the Controller to listen for SSL on another port.
  • The signature method for the Controller's SSL certificate:
    • A publicly known certificate authority (CA) signed the certificate. This applies for DigiCert, Verisign, Thawte, and other commercial CAs.
    • A CA internal to your organization signed the certificate. Some companies maintain internal certificate authorities to manage trust and encryption within their domain.
    • The Controller uses a self-signed certificate.

Establish Trust for the Controller's SSL Certificate

To establish trust between the Standalone Machine Agent and the AppDynamics Controller, you must create an agent truststore that contains the root certificate for the authority that signed the Controller's certificate.

If you secured your on-premise Controller with a self-signed certificate, see Keystore Certificate Extractor Utility for instructions to create the agent keystore.

  1. Obtain one of the following root certificates:
    • DigiCert Global Root CA for the AppDynamics SaaS Controller
    • the root certificate for the publicly known certificate authority (CA) that signed the certificate for your on-premise Controller
    • the root certificate for the internal CA that signed the Controller certificate for your on-premise Controller

  2. Run the Java keytool command to create the agent truststore:

    keytool -import -alias rootCA -file <root_certificate_file_name> -keystore cacerts.jks -storepass <truststore_password>

    For example:

    keytool -import -alias rootCA -file /usr/home/appdynamics/DigicertGlobalRootCA.pem -keystore cacerts.jks -storepass MySecurePassword

    Make note of the truststore password, you need it to configure the Standalone Machine Agent.

  3. Install the agent truststore to the agent configuration directory:


Secure the Standalone Machine Agent Truststore

AppDynamics recommends you take the following security measures to prevent tampering with the Standalone Machine Agent truststore:

  • Secure the truststore file through filesystem permissions:

    • Make the agent truststore readable by any user.

    • Make the truststore owned by a privileged user.

    • Make the truststore writable only by the specified privileged user.

  • Secure the controller-info configuration file so that it is only readable by the agent runtime user and only writable by a privileged user:

    • <machine_agent_home>/conf/controller-info.xml.

Enable SSL for the Standalone Machine Agent

  1. Configure the following system properties in the controller-info.xml: <machine_agent_home>/conf/controller-info.xml. See "SSL Configuration Properties" on Standalone Machine Agent Configuration Property Reference for full details on each property.
    • Controller Host: should be the same as either the Common Name or the Subject Alternative Name (SAN) in the certificate configured for the Controller.


    • Controller Port: the SSL port for the controller. 443 for AppDynamics SaaS.


    • Controller SSL Enabled: true. 


    • Controller Keystore Password: the plain text password for the agent truststore.


      If you have enabled the Secure Credential Store, encrypt the password you enter here. See Encrypt Credentials for Agent Configuration.

    • Controller Keystore Filename: path of the agent truststore relative to <machine_agent home>/conf. Required if you use a truststore other than the default <machine_agent_home>/conf/cacerts.jks.


      You can specify the Controller port and enable SSL for the Controller in the Standalone Machine Agent startup script, but you must specify the truststore password and filename in the controller-info.xml file.

  2. Restart the Standalone Machine Agent.

Sample controller-info.xml with SSL and Secure Credential Store encryption enabled

<?xml version="1.0" encoding="UTF-8"?>
    <!-- Encrypted Controller keystore / agent trust store password -->
    <!-- Secure Credential Store configuration -->
    <!-- Enable the Secure Credential Store -->
    <!-- Path to they secure credential keystore -->
    <!-- Obfuscated secure credential keystore password -->

Keystore Certificate Extractor Utility

The Keystore Certificate Extractor Utility exports certificates from the Controller's Java keystore and writes them to an agent truststore. You can run this utility the agent distribution on the Controller:

  1. Execute kr.jar and pass the following parameters:
    • The full path to the Controller's keystore:

    • The truststore output file name. By default the Standalone Machine Agent looks for cacerts.jks.
    • The password for the Controller's certificate, which defaults to "changeit". If you don't include a password, the extractor applies the password "changeit" to the output truststore.

      java -jar kr.jar <controller_home>/appserver/glassfish/domains/domain1/config/keystore.jks cacerts.jks <controller_certificate_password>
  2. Install the agent trust store to the agent configuration directory:

  • No labels