On this page:
On this page:
About Controller Security
The Controller is installed with an HTTPS port enabled by default. SSL secures client connections and allows client to authenticate the Controller. The Controller UI supports HTTP Basic Authentication, along with SAML and LDAP authentication. Role-based access controls in the UI allow you to manage user privileges.
While the security features of the Controller are enabled out of the box, there are some steps you should take to ensure the security of your deployment. These steps include but are not limited to:
The SSL port uses a self-signed certificate. If you intend to terminate SSL connection at the Controller, you should replace the default certificate with your own, CA-signed certificate. If you replace the default SSL certificate on the Controller, you will also need to establish trust for the Controller's public key on the App Agent machine.
As an alternative to terminating SSL at the Controller, you can put the Controller behind a reverse proxy that terminates SSL, relieving the Controller from having to process SSL.
- Along with a secure listening port, the Controller provides an unsecured, HTTP listening port as well. You should disable the port or block access to the point from any untrusted networks.
- Make sure that your App Agents connect to the Controller or to the reverse proxy, if terminating SSL at a proxy, with SSL enabled.
- The Controller and underlying components, Glassfish and MySQL, include built-in user accounts. Be sure to change the passwords for the accounts regularly and in general, follow best practices for password management for the accounts. For information on changing the passwords for built-in users, see User Management.
Proxy Controller Connections
The AppDynamics Controller is often deployed to a protected network behind a proxy, which presents a virtual IP address to external connections, including to agents and browser clients. The proxy itself resides in the DMZ for the network, and often terminates SSL connections from the client connections.
If clients use SSL, the reverse proxy can terminate SSL connections or maintain SSL through to the Controller. Terminating SSL at the proxy removes the processing burden from the Controller machine.
Using a secure proxy can simplify administration as a whole, by centralizing SSL key management to a single point. It allows you to use alternative PKI infrastructures, like OpenSSL.
See Use a Reverse Proxy for more information.