AppDynamics agents store various types of credential information on disk, including:
- Controller account access key
- Controller keystore/agent truststore password
- Proxy server password
For environments where security policies require you to secure credentials stored on disk, you can use the Secure Credential Store to encrypt credentials for use in agent configuration.
Two components comprise the Secure Credential Store:
scs-tool.jar: A utility to create the secure credential store, encrypt credentials, and obfuscate the credential store password
- Secure credential keystore: A keystore for the secret encryption key
The secure credential store utility encrypts plain text using the strongest encryption available according to the system's encryption jurisdiction policy.
For the .NET Agent, see Encrypt Credentials in .NET Agent Configuration.
Required: Update Agent Properties
After you set up the Credential Keystore, you must specify the following settings:
Initialize the Secure Credential Store
Before you can encrypt or obfuscate passwords, you must run the secure credential store utility to create the keystore for your secret encryption key. The agent distribution includes the secure credential store utility in the following locations:
- Java Agent:
- Machine Agent:
- Database Agent:
- Analytics Agent:
Run the secure credential store utility
generate_ks command with the following parameters:
filename: Absolute path where the utility will create the secure credential keystore. Use this path for
<credential-store-filename>in agent configuration.
storepass: The secure credential keystore password. Use the obfuscated version of this password as the value for
<credential-store-password>in agent configuration.
The secure credential store utility confirms it created and initialized the keystore:
To encrypt passwords using the secure credential store utility, run the
encrypt command with the following parameters:
filename: Absolute path to the secure credential keystore file.
storepass: Password for the secure credential keystore. You can use either a plain-text password or a password that has been obfuscated as described in the following section.
plaintext: Any plain text to encrypt. For instance, account access key or password.
Here is an example using a plain-text —passwordthe
-storepass argument—for the secure credential keystore:
Here is the same example using an obfuscated password:
The secure credential store utility writes out an encrypted password for use in agent configuration files:
Obfuscate the Secure Credential Store Password
In order to access the secret key in the secure credential keystore, the agent needs the obfuscated credential store password. Run the secure credential store utility
obfuscate command with the following parameter:
plaintext: The plain text secure credential keystore password.
The secure credential store utility writes out an obfuscated password for use in the
<credential-store-password> in agent configuration. For example:
Encrypt a plain text property
After you obfuscate the secure credential store password, you can encrypt plain text properties. For example, the following demonstrates how to encrypt properties in the analytics agent:
This generates an encrypted credential, such as:
Sample Agent Configuration
The following example demonstrates the agent configuration properties for the Secure Credential Store. For more information see the agent-specific configuration property documentation.
Java Agent Configuration
Analytics Agent Configuration
Encrypt Data on the Analytics Agent
You can encrypt any data on the analytics agent using
secure://<your-encrypted-credentials>. You can encrypt data in the Analytics Agent Properties file or System Properties. The following example demonstrates how to encrypt
http.event.accessKey in the Analytics Agent Properties file.