• English日本語한국어
  • Log inStart now

High-security mode

Our default APM agent settings provide a high level of security. However, you may need to guarantee that even if the default APM agent settings are overridden to be more permissive, no sensitive data will ever be reported to New Relic by the APM agent. If this is the case, then you'll want to turn on APM high-security mode (also known as enterprise security mode).

For more information about our default security measures, see our security and privacy documentation, or visit the New Relic security website.

Requirements

High-security mode requires Enterprise edition.

High-security mode is a per-account setting, not a per-organization setting. This means that if your organization contains multiple accounts, you must enable this mode for each account.

Have questions about access to this feature? Talk to your New Relic account representative.

Versions

There are two versions of high-security mode. Version 1 is deprecated and is available only if you already have it. If you're enabling high-security mode for the first time, the only option is version 2 (v2). For details about agent support for version 2, see version support.

Enable high-security mode (version 2)

To enable high security, you must update both the local configuration on your server and the remote configuration in the UI.

Before you do this, note that:

  • Once you enable high security for an account, high security cannot be turned off without assistance from New Relic Support.
  • This is a per-account setting, meaning that you must set it for each account you want to grant high-security mode.

Setting location

Description

Set in UI

  • For users on our newer user model (almost all customers): Get the account ID for the account you want to enable. Then use that to go to this URL: https://one.newrelic.com/admin-portal/apm-agents/hsm?account=YOUR_ACCOUNT_ID. On that page, you can configure high-security mode.

  • For users on our original user model: Only the account owner can configure this. Go to one.newrelic.com, click the user menu and click on Administration. On that page, select High-security mode.

    If the agent is configured for high security via the UI but not locally, then the agent connections are rejected, and the agent will shut down. However, this won't shut down your application.

Local, via agent

Enable high-security mode in your agent configuration file. High-security mode is disabled by default, and the exact procedure to enable it varies by agent:

  • Go

  • Java

  • .NET

  • Node.js

  • PHP

  • Python

  • Ruby

    If the agent is configured for high security locally but not via the UI, then the agent connections will be rejected, and the agent will shut down. This will not shut down your application.

Results of enabling high-security mode (version 2)

Once enabled, high-security mode (v2) ensures the following for your account:

Feature

Comments

Requires agents to use a secure connection (HTTPS)

High-security mode requires a secure (HTTPS) connection. Non-secure connection attempts will be rejected. The latest version of all New Relic agents support HTTPS. If the configuration is not set appropriately, the agent will override the property to ensure all data in transit per the latest industry standards.

Prevents HTTP param capture

High-security mode does not allow HTTP params, which may contain sensitive customer data, to be sent to the New Relic collector. If the agent is configured to send HTTP params locally or through server-side configuration, high-security mode will override the configuration to never capture HTTP params.

Prevents message queue param capture

High-security mode does not allow message queue params, which may contain sensitive customer data, to be sent to the New Relic collector. If the agent is configured to send message queue params locally or through server-side configuration, then high-security mode will override the configuration to never capture message queue params.

Prevents raw query statement capture

High-security mode does not allow raw database query statements, which may contain sensitive customer data, to be captured. If the agent is configured to capture raw queries locally or through server-side configuration, then high-security mode will override the configuration to never capture raw queries.

Prevents user attribute capture

High-security mode does not allow attributes set using each agent's API to be captured, as these may contain sensitive customer data.

For example, in the Java agent, attributes passed in through the following NewRelic agent API calls will be blocked:

NewRelic.addCustomParameter(String key, String value)
NewRelic.addCustomParameter(String key, Number value)
NewRelic.setUserName(String name)
NewRelic.setAccountName(String name)
NewRelic.setProductName(String name)

Prevents noticeError attribute capture

High-security mode does not allow attributes set using each agent's noticeError API call to be captured as these may contain sensitive customer data.

For example, in the Java agent, attributes passed in through the following NewRelic agent API calls will be blocked:

NewRelic.noticeError(String message, Map<String, String> params)
NewRelic.noticeError(Throwable throwable, Map<String, String> params)

Prevents custom events

High-security mode does not allow custom events to be created using the agent API, as these may contain sensitive customer data.

For example, in the .NET agent, the API call RecordCustomEvent will be blocked.

Prevents in-agent log event forwarding

High-security mode does not allow log events to be forwarded to APM using the application_logging.forwarding.enabled configuration option as log messages may contain sensitive customer data.

Prevents deploying Custom Instrumentation via CIE

High-security mode does not allow deploying custom instrumentation when using the Custom Instrumentation Editor. If you have high-security mode enabled, you must export the instrumentation and manually import it to your app server.

Version 2 support

Here are details about agent versions that support high-security mode version 2:

Agent

Version 2 support

Go

All versions

Java

3.7 or higher

.NET

3.3 or higher

Node.js

1.7.0 or higher

PHP

4.9 or higher

Python

2.22.0.0 or higher

Ruby

3.9.1 or higher

Results of enabling high-security mode v1 (deprecated)

High-security mode version 1 is deprecated and only available if you enabled it prior to version 2 being available. High-security mode version 1 ensures the following for your account:

Feature

Comments

Requires agents to use a secure connection (HTTPS)

High-security mode requires an encrypted connection (HTTPS). Non-secure connection attempts will be rejected. The latest version of all New Relic agents support HTTPS. If the configuration is not set appropriately, the agent will override the property to ensure that all data in transit is encrypted as per the latest industry standards.

Prevents HTTP param capture

Agents configured to capture HTTP params, which may contain sensitive customer data, are not allowed to connect to New Relic. If the local configuration is set to capture request parameters, then New Relic's collector will reject the connection, and the agent will shut down.

Prevents raw query statement capture

Agents configured to capture raw database query statements, which may contain sensitive customer data, are not allowed to connect to New Relic. If the agent is configured to capture raw queries locally or through server-side configuration, New Relic's collector will reject the connection and the agent will shut down.

Prevents deploying Custom Instrumentation via CIE

High-security mode does not allow deploying custom instrumentation when using the Custom Instrumentation Editor. If you have high-security mode enabled, you must export the instrumentation and manually import it to your app server.

Migrate from version 1 to version 2

These are the main differences between the two versions of high security:

  • In order to make high security even more secure, high security must be enabled in the New Relic user interface and in the local New Relic configuration file. High security v1 only required high security to be set in the New Relic UI.
  • User attributes, noticeError attributes, and message queue parameters are turned off with high security in version 2, but not in version 1.

To update from v1 to v2, add high_security: true to your local agent configuration file.

Copyright © 2024 New Relic Inc.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.