Overview of Docker Agent and TLS SSL.

Document ID : KB000101573
Last Modified Date : 14/06/2018
Show Technical Document Details
Question:
How does Docker Agent work with TLS/SSL?
Environment:
APM 10.5/10.7
Answer:
This is how Docker Monitor works  
1. It connects to the docker daemon process through HTTP/S ( in 10.5.2 ) and through Unix Socket in 10.7 and collect performance metric & metadata about containers  
2. Connects to the enterprise manager to send the collected information  

In both cases, the DM agent is a client program .In the first case, the docker daemon is a server and on the second case EM is the server. Both of them can be configured so that it only accepts connections from clients providing a certificate trusted by your CA.  

This is the way you can configure docker daemon process to accept only authorized client  

https://docs.docker.com/engine/security/https/#create-a-ca-server-and-client-keys-with-openssl 

Look for HTTPS tunnelling and SSL section in the docops to find out how EM is configured . 

https://docops.ca.com/ca-apm/10-5/en/administrating/configure-the-workstation/http-tunneling-and-ssl 

Now, the docker monitor agent section :  
a) to connect to EM : follow https://docops.ca.com/ca-apm/10-5/en/implementing-agents/java-agent/configure-java-monitoring/configure-java-agent#ConfigureJavaAgent-ConnecttotheEnterpriseManageroverSSL  

2) to connect to Docker Daemon : Follow section 3 of https://docops.ca.com/ca-apm/10-5/en/implementing-agents/ca-apm-agentless-docker-monitor-and-container-flow-map/configure-the-agentless-docker-monitor  

With APM 10.7 - the Docker Monitor configuration is simple. It is done via Unix Socket. So, even if you configure yourdaemon process with TLS - we should be able to communicate without any configuration via the Unix socket.