--- title: Set up App and API Protection for Java in Kubernetes description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > App and API Protection > Enabling App and API Protection > Enabling App and API Protection for Java > Set up App and API Protection for Java in Kubernetes --- # Set up App and API Protection for Java in Kubernetes {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). (). {% /alert %} {% /callout %} {% alert level="info" %} You can enable App and API Protection for Java services with the following setup options: 1. If your Java service already has APM tracing set up and running, then skip to service configuration. 1. If your Java service doesn't have APM tracing set up, you can easily enable App and API Protection with Datadog's [Automatic Installation](https://docs.datadoghq.com/tracing/trace_collection/automatic_instrumentation/single-step-apm/kubernetes/). 1. Otherwise, continue reading the manual setup instructions below. {% /alert %} ## Overview{% #overview %} App and API Protection leverages the [Datadog Java library](https://github.com/DataDog/dd-trace-java/) to monitor and secure your Java service. The library integrates seamlessly with your existing application without requiring code changes. For detailed compatibility information, including supported Java versions, frameworks, and deployment environments, see [Java Compatibility Requirements](https://docs.datadoghq.com/security/application_security/setup/java/compatibility). This guide explains how to set up App and API Protection (AAP) for Java applications. The setup involves: 1. Installing the Datadog Agent. 1. Enabling App and API Protection monitoring. 1. Running your Java application with the Datadog Agent. 1. Verifying the setup. ## Prerequisites{% #prerequisites %} - Kubernetes cluster - Java application containerized with Docker - kubectl configured to access your cluster - Helm (recommended for Agent installation) - Your Datadog API key - Datadog Java tracing library (see version requirements [here](https://docs.datadoghq.com/security/application_security/setup/java/compatibility)) ## 1. Installing the Datadog Agent Install the Datadog Agent by following the [setup instructions for Kubernetes](https://docs.datadoghq.com/agent/?tab=cloud_and_container). ## 2. Enabling App and API Protection monitoring If your Java service already has APM tracing set up and running, you can automatically enable App and API Protection through Remote Configuration.If not, enable App and API Protection with the manual configuration instructions..navigation-menu{background:#f8f9fa;border:1px solid #e9ecef;border-radius:8px;padding:20px;margin:20px 0}.nav-container h3{margin-top:0;margin-bottom:15px;color:#333;font-size:1.1em}.nav-list{list-style:none;padding:0;margin:0}.nav-list li{margin-bottom:8px}.nav-list a{color:#06c;text-decoration:none;font-weight:500}.nav-list a:hover{text-decoration:underline;color:#049} ### Automatically enabling App and API Protection through Remote Configuration{% #automatically-enabling-app-and-api-protection-through-remote-configuration %} You can enable services with remote configuration on your [services dashboard](https://app.datadoghq.com/security/configuration/asm/setup?services=recommended). Check the box for the service you want to enable App and API Protection for under Activate on your APM services. ### Manually enabling App and API Protection monitoring{% #manually-enabling-app-and-api-protection-monitoring %} Download the latest version of the Datadog Java library using an init container: ```yaml apiVersion: apps/v1 kind: Deployment metadata: name: your-java-app spec: template: spec: initContainers: - name: download-agent image: busybox command: ['sh', '-c', 'wget -O /shared/dd-java-agent.jar https://dtdg.co/latest-java-tracer'] volumeMounts: - name: agent-volume mountPath: /shared volumes: - name: agent-volume emptyDir: {} ``` {% collapsible-section %} #### APM Tracing Enabled {% tab title="Using command-line arguments" %} Start your Java application with the Datadog agent and App and API Protection enabled using command-line arguments: ```yaml apiVersion: apps/v1 kind: Deployment metadata: name: your-java-app spec: template: spec: containers: - name: your-java-app image: your-java-app-image volumeMounts: - name: agent-volume mountPath: /dd-java-agent.jar subPath: dd-java-agent.jar command: ["java"] args: ["-javaagent:/dd-java-agent.jar", "-Ddd.appsec.enabled=true", "-Ddd.service=", "-Ddd.env=", "-jar", "/app.jar"] ``` {% /tab %} {% tab title="Using environment variables" %} Start your Java application with App and API Protection enabled using environment variables: ```yaml apiVersion: apps/v1 kind: Deployment metadata: name: your-java-app spec: template: spec: containers: - name: your-java-app image: your-java-app-image volumeMounts: - name: agent-volume mountPath: /dd-java-agent.jar subPath: dd-java-agent.jar env: - name: DD_APPSEC_ENABLED value: "true" - name: DD_SERVICE value: "" - name: DD_ENV value: "" command: ["java"] args: ["-javaagent:/dd-java-agent.jar", "-jar", "/app.jar"] ``` {% /tab %} {% /collapsible-section %} {% collapsible-section %} #### APM Tracing Disabled To disable APM tracing while keeping App and API Protection enabled, you must set the APM tracing variable to false. {% tab title="Using command-line arguments" %} Start your Java application with the Datadog agent and App and API Protection enabled using command-line arguments: ```yaml apiVersion: apps/v1 kind: Deployment metadata: name: your-java-app spec: template: spec: containers: - name: your-java-app image: your-java-app-image volumeMounts: - name: agent-volume mountPath: /dd-java-agent.jar subPath: dd-java-agent.jar command: ["java"] args: ["-javaagent:/dd-java-agent.jar", "-Ddd.appsec.enabled=true", "-Ddd.apm.tracing.enabled=false", "-Ddd.service=", "-Ddd.env=", "-jar", "/app.jar"] ``` {% /tab %} {% tab title="Using environment variables" %} Start your Java application with App and API Protection enabled using environment variables: ```yaml apiVersion: apps/v1 kind: Deployment metadata: name: your-java-app spec: template: spec: containers: - name: your-java-app image: your-java-app-image volumeMounts: - name: agent-volume mountPath: /dd-java-agent.jar subPath: dd-java-agent.jar env: - name: DD_APPSEC_ENABLED value: "true" - name: DD_APM_TRACING_ENABLED value: "false" - name: DD_SERVICE value: "" - name: DD_ENV value: "" command: ["java"] args: ["-javaagent:/dd-java-agent.jar", "-jar", "/app.jar"] ``` {% /tab %} {% /collapsible-section %} ## 3. Run your application Apply your updated deployment: ```bash kubectl apply -f your-deployment.yaml ``` ## 4. Verify setup To verify that App and API Protection is working correctly: 1. Send some traffic to your application. 1. Check for security signals and vulnerabilities in the [Application Signals Explorer](https://app.datadoghq.com/security/appsec) in Datadog. ## Troubleshooting{% #troubleshooting %} If you encounter issues while setting up App and API Protection for your Java application, see the [Java App and API Protection troubleshooting guide](https://docs.datadoghq.com/security/application_security/setup/java/troubleshooting). ## Further Reading{% #further-reading %} - [How App and API Protection Works](https://docs.datadoghq.com/security/application_security/how-it-works/) - [OOTB App and API Protection Rules](https://docs.datadoghq.com/security/default_rules/?category=cat-application-security) - [Troubleshooting App and API Protection](https://docs.datadoghq.com/security/application_security/troubleshooting)