Agent initializes Java truststore
See original GitHub issueDescribe the bug
Environment
Wildfly 17.0.1 Java 11
We made a big version jump of the Elastic Apm Agent version in one of our environments (1.4.0 -> 1.16.0) and immediately saw our ldap connection fail. This connection uses internal certificates which are not stored in the default java truststore. The truststore is not set in the jvm options but will be set from the application at deployment like this example
System.setProperty("javax.net.ssl.trustStore", truststoreLocation);
System.setProperty("javax.net.ssl.trustStorePassword", truststorePassword);
Debugging via -Djavax.net.debug=all
showed us that the apm agent since version 1.13.0 initializes the default truststore before Wildfly even starts which breaks our truststore initialization.
Steps to reproduce
Steps to reproduce the behavior:
- Download Wildfly from https://wildfly.org/downloads/ and extract it
- Add the following JAVA_OPTS in the wildfly config at
<wildfly-dir>/bin/standalone.conf
(Linux) or<wildfly-dir>/bin/standalone.conf.bat
(Windows)-javaagent:<path-to-agent>/elastic-apm-agent.jar -Delastic.apm.service_name=App -Delastic.apm.server_urls=http://localhost:8200 -Delastic.apm.application_packages=com.example -Delastic.apm.environment="development" -Djavax.net.debug=all
- Start wildfly with the start script found in
<wildfly-dir>/bin/standalone.sh
(Linux) or<wildfly-dir>/bin/standalone.bat
(Windows) - With apm versions >= 1.13.0 the whole default truststore will be printed to the console/log before this log message appears
INFO co.elastic.apm.agent.report.ApmServerHealthChecker - Elastic APM server is available: { "build_date": "2020-05-12T00:04:54Z", "build_sha": "64e91c95329991c36b16ff94fd34ea75230c06c2", "version": "7.7.0"}
Expected behavior
Expected would be that the agent like before does not initialize the Java truststore.
Debug logs
If needed I can add the debug logs.
Issue Analytics
- State:
- Created 3 years ago
- Comments:6 (6 by maintainers)
Top Results From Across the Web
Java Agent does not honor WebSphere configured TrustStore ...
The Java Agent starts before WebSphere is fully initialized - so the WebSphere specific TrustStore is not configured. As a result, the Java...
Read more >Understanding Keystores and Truststores | 6.3.x
Understanding Keystores and Truststores. Configuring Cloudera Manager Server and cluster components to use TLS/SSL requires obtaining keys, ...
Read more >In what order does a Java Agent look for a truststore location?
If not specified in thecontroller-info.xml, the Java Agent then looks for the truststore file with name cacerts.jks in <agent_home>/verX.
Read more >Creating Java Keystores and Truststores - Cloudera Manager
Typically, a keystore is used in one of two distinct ways: The keystore contains private keys and certificates used by TLS/SSL servers to...
Read more >APM Agent Overrides JVM SSL config · Issue #1204 - GitHub
Describe the bug Environment Websphere Liberty IBM Java 8 APM 1.15.1 APM agent ... as per recent issue - Agent initialises Java truststore, ......
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
The latest test version also works as expected
Thanks for reporting! Working on a fix, will let you test once we have it.