On this page:

Related pages:

This topic describes how to configure the AppDynamics Standalone Machine Agent to connect to the Controller using SSL. It assumes that you use a SaaS Controller or have configured the on-premises Controller to use SSL. 

The Standalone Machine Agent supports extending and enforcing the SSL trust chain when in SSL mode.

Plan SSL Configuration

Gather the following information:

Establish Trust for the Controller's SSL Certificate

To establish trust between the Standalone Machine Agent and the AppDynamics Controller, you must create an agent truststore that contains the root certificate for the authority that signed the Controller's certificate.

  1. Obtain one of the following root certificates:
  2. Run the Java keytool command to create the agent truststore:

    keytool -import -alias rootCA -file <root_certificate_file_name> -keystore cacerts.jks -storepass <truststore_password>

    For example:

    keytool -import -alias rootCA -file /usr/home/appdynamics/DigicertGlobalRootCA.pem -keystore cacerts.jks -storepass MySecurePassnword

    Note the truststore password; you will need this later to configure the Standalone Machine Agent.

  3. Install the agent truststore to the agent configuration directory:

    <machine_agent_home>/conf/

Secure the Standalone Machine Agent Truststore

AppDynamics recommends you take the following security measures to prevent tampering with the Standalone Machine Agent truststore:

Enable SSL for the Standalone Machine Agent

  1. Configure the following system properties in the controller-info.xml: <machine_agent_home>/conf/controller-info.xml. See "SSL Configuration Properties" on Standalone Machine Agent Configuration Property Reference for full details on each property.
  2. Restart the Standalone Machine Agent.

Sample controller-info.xml with SSL and Secure Credential Store encryption enabled

<?xml version="1.0" encoding="UTF-8"?>
<controller-info>
	<controller-host>mycompany.saas.appdynamics.com</controller-host>
	<controller-port>443</controller-port>
	<controller-ssl-enabled>true</controller-ssl-enabled>
    <!-- Encrypted Controller keystore / agent trust store password -->
	<controller-keystore-password>Tw49bd0hdCMBoQ5pfMMuYA/cA5B4pouVPkv48ovRm6c=</controller-keystore-password>
	<controller-keystore-filename>../../conf/cacerts.jks</controller-keystore-filename>
	...
    <!-- Secure Credential Store configuration -->
    <!-- Enable the Secure Credential Store -->
    <use-encrypted-credentials>true</use-encrypted-credentials>
    <!-- Path to they secure credential keystore -->
    <credential-store-filename>/opt/appdynamics/secretKeyStore</credential-store-filename>
    <!-- Obfuscated secure credential keystore password -->
    <credential-store-password>n/8GvAZsKk4gM3Z6g+XQ1w==</credential-store-password>
</controller-info>

Keystore Certificate Extractor Utility

The Keystore Certificate Extractor Utility exports certificates from the Controller's Java keystore and writes them to an agent truststore. You can run this utility the agent distribution on the Controller:

<controller_home>/appserver/glassfish/domains/domain1/appagent
  1. Execute kr.jar and pass the following parameters:
  2. Install the agent trust store to the agent configuration directory:

    <machine_agent_home>/conf/