To communicate with the New Relic collector over HTTPS, you need to have the proper certificates for trusted signers in the trust store on your app server. By default, most JREs contain a valid root certificate that allows the agent to connect to newrelic.com. However, starting in 6.1.0, for applications which use a custom trust store, the Java agent will use a bundled certificate that is valid for up to a year after release and must either update to the latest agent version or provide a valid certificate using the ca_bundle_path configuration before expiration.
The Java agent will begin logging a warning message upon application startup when there are less than three months before the bundled certificate expires.
For Java agent versions prior to 6.0.0, applications that require valid certificates may add them in one of the following two ways:
- Use YAML-based configuration.
- Add the bundled list of New Relic trusted signers to the local store.
Using YAML-based configuration
The New Relic Java agent bundles the list of trusted signers in the agent
newrelic.jar file. If you do not want to change the local trust store, you can activate them by setting
true in the
newrelic.yml agent configuration file:
common: default_settings use_private_ssl: true # # ============================== LICENSE KEY =============================== # You must specify the license key associated with your New Relic ...
Adding New Relic trusted signers to the local store
You can also add the bundled list of trusted signers to your local trust store. The default location for the local trust store is
$JAVA_HOME/jre/lib/security/cacerts. To override this location, set the
javax.net.ssl.truststore property in your launch command to the target location.
To add the bundled list of trusted signers to your local trust store:
Make a backup copy of your trust store:
cp /path/to/truststore /path/to/truststore.orig
Extract the New Relic trust store from the agent jar:
jar xvf /path/to/newrelic.jar nrcerts
If you are prompted for a password during this step, leave the password space blank and confirm.
Merge the New Relic trust store into your trust store:
keytool -importkeystore -srckeystore nrcerts -destkeystore /path/to/truststore
- Restart your app server to take advantage of the updated trust store and communicate with New Relic securely.
Step 3 refers to
destkeystore even though we are manipulating trust stores. This is correct. A trust store is a key store used for client side certificates.
For more help
Additional documentation resources include New Relic for Java (compatibility and requirements, installation, and configuration.)