Setup App and API Protection for Java in Kubernetes

This product is not supported for your selected Datadog site. ().
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

You can enable App and API Protection for Java services with the following setup options:

  1. If your Java service already has APM tracing set up and running, then skip to service configuration
  2. If your Java service doesn't have APM tracing set up, you can easily enable App and API Protection with Datadog's Automatic Installation
  3. Otherwise, keep reading the following manual setup instructions

Overview

App and API Protection works by leveraging the Datadog Java library to monitor and secure your Java service. The library integrates seamlessly with your existing application without requiring code changes.

For detailed compatibility information, including supported Java versions, frameworks, and deployment environments, see Java Compatibility Requirements.

This guide explains how to set up App and API Protection (AAP) for Java applications. The setup involves:

  1. Installing the Datadog Agent
  2. Enabling App and API Protection monitoring
  3. Running your Java application with the Datadog Agent
  4. Verifying the setup

Prerequisites

  • Kubernetes cluster
  • Java application containerized with Docker
  • kubectl configured to access your cluster
  • Helm (recommended for Agent installation)
  • Your Datadog API key
  • Datadog Java tracing library (see version requirements here)

1. Installing the Datadog Agent

Install the Datadog Agent by following the setup instructions for Kubernetes.

2. Enabling App and API Protection monitoring

Automatically enabling App and API Protection through Remote Configuration

APM Tracing cannot be disabled for the time being with remote config.

You can enable remote configuration on your services dashboard. Simply check the box for the service you want to enable App and API Protection for under "Activate on your APM services".

Manually enabling App and API Protection monitoring

Download the latest version of the Datadog Java library using an init container:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: your-java-app
spec:
  template:
    spec:
      initContainers:
      - name: download-agent
        image: busybox
        command: ['sh', '-c', 'wget -O /shared/dd-java-agent.jar https://dtdg.co/latest-java-tracer']
        volumeMounts:
        - name: agent-volume
          mountPath: /shared
      volumes:
      - name: agent-volume
        emptyDir: {}

    Start your Java application with the Datadog agent and App and API Protection enabled using command-line arguments:

    apiVersion: apps/v1
kind: Deployment
metadata:
  name: your-java-app
spec:
  template:
    spec:
      containers:
      - name: your-java-app
        image: your-java-app-image
        volumeMounts:
        - name: agent-volume
          mountPath: /dd-java-agent.jar
          subPath: dd-java-agent.jar
        command: ["java"]
        args: ["-javaagent:/dd-java-agent.jar", "-Ddd.appsec.enabled=true", "-Ddd.service=<MY_SERVICE>", "-Ddd.env=<MY_ENV>", "-jar", "/app.jar"]

    Start your Java application with App and API Protection enabled using environment variables:

    apiVersion: apps/v1
kind: Deployment
metadata:
  name: your-java-app
spec:
  template:
    spec:
      containers:
      - name: your-java-app
        image: your-java-app-image
        volumeMounts:
        - name: agent-volume
          mountPath: /dd-java-agent.jar
          subPath: dd-java-agent.jar
        env:
        - name: DD_APPSEC_ENABLED
          value: "true"
        - name: DD_SERVICE
          value: "<MY_SERVICE>"
        - name: DD_ENV
          value: "<MY_ENV>"
        command: ["java"]
        args: ["-javaagent:/dd-java-agent.jar", "-jar", "/app.jar"]

    To disable APM tracing while keeping App and API Protection enabled, you must set the APM tracing variable to false.

      Start your Java application with the Datadog agent and App and API Protection enabled using command-line arguments:

      apiVersion: apps/v1
kind: Deployment
metadata:
  name: your-java-app
spec:
  template:
    spec:
      containers:
      - name: your-java-app
        image: your-java-app-image
        volumeMounts:
        - name: agent-volume
          mountPath: /dd-java-agent.jar
          subPath: dd-java-agent.jar
        command: ["java"]
        args: ["-javaagent:/dd-java-agent.jar", "-Ddd.appsec.enabled=true", "-Ddd.apm.tracing.enabled=false", "-Ddd.service=<MY_SERVICE>", "-Ddd.env=<MY_ENV>", "-jar", "/app.jar"]

      Start your Java application with App and API Protection enabled using environment variables:

      apiVersion: apps/v1
kind: Deployment
metadata:
  name: your-java-app
spec:
  template:
    spec:
      containers:
      - name: your-java-app
        image: your-java-app-image
        volumeMounts:
        - name: agent-volume
          mountPath: /dd-java-agent.jar
          subPath: dd-java-agent.jar
        env:
        - name: DD_APPSEC_ENABLED
          value: "true"
        - name: DD_APM_TRACING_ENABLED
          value: "false"
        - name: DD_SERVICE
          value: "<MY_SERVICE>"
        - name: DD_ENV
          value: "<MY_ENV>"
        command: ["java"]
        args: ["-javaagent:/dd-java-agent.jar", "-jar", "/app.jar"]

      3. Run your application

      Apply your updated deployment:

      kubectl apply -f your-deployment.yaml

      4. Verify setup

      To verify that App and API Protection is working correctly:

      1. Send some traffic to your application
      2. Check the Application Signals Explorer in Datadog
      3. Look for security signals and vulnerabilities

      Troubleshooting

      If you encounter issues while setting up App and API Protection for your Java application, see the Java App and API Protection troubleshooting guide.

      Further Reading

      お役に立つドキュメント、リンクや記事:

      How App and API Protection WorksDOCUMENTATION more more OOTB App and API Protection RulesDOCUMENTATION more more Troubleshooting App and API ProtectionDOCUMENTATION more more
      PREVIEWING: eliottness/exhaustive-doc