Overview of Docker Agent and TLS SSL.
Article ID: 101573
Updated On:
Products
APP PERF MANAGEMENT
CA Application Performance Management Agent (APM / Wily / Introscope)
CUSTOMER EXPERIENCE MANAGER
INTROSCOPE
Issue/Introduction
How does Docker Agent work with TLS/SSL?
Environment
APM 10.5/10.7
Resolution
This is how Docker Monitor works
1. It connects to the docker daemon process through HTTP/S ( in 10.5.2 ) and through Unix Socket in 10.7 and collect performance metric & metadata about containers
2. Connects to the enterprise manager to send the collected information
In both cases, the DM agent is a client program .In the first case, the docker daemon is a server and on the second case EM is the server. Both of them can be configured so that it only accepts connections from clients providing a certificate trusted by your CA.
This is the way you can configure docker daemon process to accept only authorized client
https://docs.docker.com/engine/security/https/#create-a-ca-server-and-client-keys-with-openssl
Look for HTTPS tunnelling and SSL section in the docops to find out how EM is configured .
https://docops.ca.com/ca-apm/10-5/en/administrating/configure-the-workstation/http-tunneling-and-ssl
Now, the docker monitor agent section :
a) to connect to EM : follow https://docops.ca.com/ca-apm/10-5/en/implementing-agents/java-agent/configure-java-monitoring/configure-java-agent#ConfigureJavaAgent-ConnecttotheEnterpriseManageroverSSL
2) to connect to Docker Daemon : Follow section 3 of https://docops.ca.com/ca-apm/10-5/en/implementing-agents/ca-apm-agentless-docker-monitor-and-container-flow-map/configure-the-agentless-docker-monitor
With APM 10.7 - the Docker Monitor configuration is simple. It is done via Unix Socket. So, even if you configure yourdaemon process with TLS - we should be able to communicate without any configuration via the Unix socket.
1. It connects to the docker daemon process through HTTP/S ( in 10.5.2 ) and through Unix Socket in 10.7 and collect performance metric & metadata about containers
2. Connects to the enterprise manager to send the collected information
In both cases, the DM agent is a client program .In the first case, the docker daemon is a server and on the second case EM is the server. Both of them can be configured so that it only accepts connections from clients providing a certificate trusted by your CA.
This is the way you can configure docker daemon process to accept only authorized client
https://docs.docker.com/engine/security/https/#create-a-ca-server-and-client-keys-with-openssl
Look for HTTPS tunnelling and SSL section in the docops to find out how EM is configured .
https://docops.ca.com/ca-apm/10-5/en/administrating/configure-the-workstation/http-tunneling-and-ssl
Now, the docker monitor agent section :
a) to connect to EM : follow https://docops.ca.com/ca-apm/10-5/en/implementing-agents/java-agent/configure-java-monitoring/configure-java-agent#ConfigureJavaAgent-ConnecttotheEnterpriseManageroverSSL
2) to connect to Docker Daemon : Follow section 3 of https://docops.ca.com/ca-apm/10-5/en/implementing-agents/ca-apm-agentless-docker-monitor-and-container-flow-map/configure-the-agentless-docker-monitor
With APM 10.7 - the Docker Monitor configuration is simple. It is done via Unix Socket. So, even if you configure yourdaemon process with TLS - we should be able to communicate without any configuration via the Unix socket.
Feedback
Yes
No
Powered by
