Enable configurable security policy

Limited
release

New Relic APM's configurable security policy gives you granular control over configuration options related to your account's data security. This document explains how to enable an account-wide security policy and the options available.

APM's configurable security policy is available in limited release for approved New Relic accounts.

Compatibility and requirements

APM agent versions that support this feature include:

  • Go: 2.1 or higher
  • Java: 4.1 or higher
  • .NET: 8.1 or higher
  • Node.js: 4.1 or higher
  • PHP: 8.1 or higher
  • Python: not available
  • Ruby: 5.2 or higher

Enable configurable security policy

A security policy applies account-wide. Once enabled, it can only be edited or disabled with the help of New Relic support.

If high security mode is enabled for the account(s), do not disable it. Account-level high security mode differs from your APM agent's high security mode, which is set in the configuration file.

For the limited release, there is no UI component.

If you are participating in the limited release, the process for setting up your accounts is as follows:

  1. Choose the accounts or sub-accounts on which to enable configurable security policy.

  2. Choose the configurable security policy options that you want for those accounts.
  3. Inform your New Relic sales rep of the options that you have chosen.
  4. Ensure your agent versions support this feature. Update agents if necessary.
  5. When you receive the security token based on the security policy options that you chose, insert the security token into the agent configuration file(s). See examples.
  6. Delete the high security mode enabled flag from your config file(s).

High security mode (HSM) at the agent level is different than high security mode at the account level. Be sure to disable HSM in the agent's config file, as explained in this procedure. Having both the security token and the HSM flag will result in the agent disconnecting.

Example configuration

Here are some example configuration examples for enabling the configurable security policy:

Java agent: XML example

The Java agent allows configuration via XML. Here is an example snippet enabling a security policy:

...
<configuration agentenabled="true" xmlns="urn:newrelic-config">
  <service licensekey="YOUR_LICENSE_KEY">
  <application>
    <name>My Application Name</name>
  </application>
  <securitypoliciestoken>YOUR_TOKEN</securitypoliciestoken>
  <log level="info">
</log></service></configuration>
...
Ruby agent: YAML example

The Ruby agent uses a YAML file for configuration. Here is an example snippet enabling a security policy:

common: &default_settings
  license_key: 'YOUR_LICENSE_KEY'
  app_name: 'My Application Name'
  security_policies_token: 'YOUR_TOKEN'
production:
  <<: *default_settings
  log_level: info

Available policy options

Here are the settings you can choose when creating your policy. Some of these options will not be available for some agents.

Setting Effect
Disable database query collection

Options:

  • On: Disables collection of all database query data.
  • Off: Collects obfuscated database query data. Raw query data is never collected with either of these options.

Ignore attributes.include list

Go, Java, .NET, Node.js, Ruby only

Options:

  • On: Ignores the list of allowed attributes listed in the attributes.include property in agent configuration; those attributes will not be collected.
  • Off: attributes.include list functions normally.

Whitelisting attributes at the account level is not supported.

Disable raw exception messages

Options:

  • On: Prevent collection of raw exception messages. (The messages may be either removed or obfuscated, depending on the agent.)
  • Off: Allows collection of raw exception messages.
Disable custom events

Options:

  • On: Prevents collection of custom events that are collected via agent APIs.
  • Off: Custom event collection functions normally.
Disable custom attributes

Options:

  • On: Prevents collection of custom attributes that are collected via agent APIs.
  • Off: Custom attribute collection functions normally.

Disable custom instrumentation editor

Java only

Options:

  • On: Disables the custom instrumentation editor. Instrumentation previously done via the editor is also disabled.
  • Off: Custom instrumentation editor functions normally.

Disable message data

Java and Ruby only

Options:

  • On: Disables collection of message queue data.
  • Off: Message collection functions normally.

Disable job arguments

Ruby only

Options:

  • On: Disables collection of job arguments.
  • Off: Job argument collection functions normally.

For more help

For more information about configuration file settings, refer to your specific agent's documentation.

If you are a New Relic customer and interested in the limited release of configurable security policy, contact your New Relic sales rep.

Recommendations for learning more: