To communicate with the New Relic collector over HTTPS, you need to have the proper certificates for trusted signers in the trust store on your app server. There are two ways to do this:
- Use YAML-based configuration.
- Add the bundled list of New Relic trusted signers to the local store.
Using YAML-based configuration
The New Relic Java agent bundles the list of trusted signers in the agent
newrelic.jar file. If you do not want to change the local trust store, you can activate them by setting
true in the
newrelic.yml agent configuration file:
common: default_settings use_private_ssl: true # # ============================== LICENSE KEY =============================== # You must specify the license key associated with your New Relic ...
Adding New Relic trusted signers to the local store
You can also add the bundled list of trusted signers to your local trust store. The default location for the local trust store is
$JAVA_HOME/jre/lib/security/cacerts. To override this location, set the
javax.net.ssl.truststore property in your launch command to the target location.
To add the bundled list of trusted signers to your local trust store:
Make a backup copy of your trust store:
cp /path/to/truststore /path/to/truststore.orig
Extract the New Relic trust store from the agent jar:
jar xvf /path/to/newrelic.jar nrcerts
If you are prompted for a password during this step, leave the password space blank and confirm.
Merge the New Relic trust store into your trust store:
keytool -importkeystore -srckeystore nrcerts -destkeystore /path/to/truststore
- Restart your app server to take advantage of the updated trust store and communicate with New Relic securely.
Step 3 refers to
destkeystore even though we are manipulating trust stores. This is correct. A trust store is a key store used for client side certificates.
For more help
Additional documentation resources include New Relic for Java (compatibility and requirements, installation, and configuration.)