topic Re: Reducing TLS ciphers in Managed? in Dynatrace Managed Q&A

Reducing TLS ciphers in Dynatrace Managed?

AntonioSousa — Mon, 05 Jan 2026 12:52:49 GMT

In Dynatrace Managed clusters, there is the possibility to limit the ciphers being used, as described in:

https://docs.dynatrace.com/managed/shortlink/managed-custom-install#ssl-certificates-parameters

In a current Managed configuration I see in the configuration file:

SSL_CIPHERS = TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:TLS_AES_128_CCM_SHA256:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES128-CCM

I understand that I have to run the command, with the new list of ciphers. But some doubts:

Does this affect both UI access and OneAgent/ActiveGate access?
This command affects only the cluster node where it is executed, or the whole cluster?
Does it restart the web server process automatically, or do we have to restart it so the new list of ciphers aplies?

Re: Reducing TLS ciphers in Managed?

erh_inetum — Wed, 12 Feb 2025 11:33:17 GMT

Hi Antonio,

Does this affect both UI access and OneAgent/ActiveGate access?

I think it affects only to AG.

This command affects only the cluster node where it is executed, or the whole cluster?

I think it affects only the cluster node where it is executed

Does it restart the web server process automatically, or do we have to restart it so the new list of ciphers aplies?

I think it's only necessary restarting cluster nodes. In case you configure accepted/excluded ciphers via custom.properties on AG it's only necessary restarting AG.

Here you have more information.

Anyway, @stefanie_pachne , could you confirm this information? Thanks in advance.

Hope it helps, Antonio.

Regards,

Elena.

Re: Reducing TLS ciphers in Managed?

stefanie_pachne — Thu, 13 Feb 2025 10:01:56 GMT

Hi,

it affects the communication with this cluster node depending on your setup (https://docs.dynatrace.com/managed/managed-cluster/basic-concepts/managed-deployment-scenarios).

Follow one of these instructions and feel free to contact Live Chat if the instructions are unclear:

Best,
Stefanie

Re: Reducing TLS ciphers in Managed?

AntonioSousa — Mon, 23 Jun 2025 22:47:58 GMT

@stefanie_pachne ,
This didn't go as planned:

# /var/opt/dynatrace-managed/installer/server/unix/dynatrace-managed-installer.sh --ssl-ciphers "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384" Starting Dynatrace 1.316.34.20250608-040133 installer ... OK Network proxy used for this upgrade: http://xxx.xxx.xxx.xxx Testing connection to Dynatrace Mission Control ... OK Verifying system compatibility ... OK Verifying disk space ... OK Verifying Dynatrace directories ... OK Verifying system privileges ... OK Verifying system connectivity ... OK Network proxy used for this upgrade: http://xxx.xxx.xxx.xxx Testing connection to Dynatrace Mission Control ... OK Downloading Dynatrace OneAgent. This may take a few minutes ... OK Stopping Dynatrace ... OK Preparing system user for Dynatrace ... OK Initializing upgrade ... OK Checking user permissions ... OK Fixing selinux rules for binaries if needed ... OK Upgrading Nodekeeper ... OK Checking file ownership ... OK Upgrading. This may take a few minutes ... failed failed Rolling back upgrade ... OK Starting Dynatrace. This may take up to half an hour ...

At the moment, still waiting to see if it recovers... It took about 15 minutes to get to the failed part. Don't know if I did something wrong, but would not recommend this procedure without further clarification from Dynatrace. Quite frankly, changing ciphers shouldn't need all the above...

Re: Reducing TLS ciphers in Managed?

stefanie_pachne — Tue, 24 Jun 2025 07:42:27 GMT

@AntonioSousa Would you mind following-up with Live Chat?
My current knowledge of related capabilities are tracked here: Troubleshooting/ActiveGate-Managed-VA-scan-shows-vulnerable-cipher-or/

Re: Reducing TLS ciphers in Managed?

Geoffke — Mon, 16 Feb 2026 07:48:18 GMT

I know this is an older topic but we were reached the following procedure which we did execute succesfully on our managed cluster:

- Edit /etc/dynatrace.conf

- Search for SSL_CIPHERS, adapt accordingly. In the same file change this parameter to off "CIPHERS_AUTOUPDATE = off".

-Execute reconfigure.sh in the installer dir. The cluster node will execute series of steps as shown above like with the installer.sh --ssl_cipher option.

Note, if you which to use TLS v1.3, then set the parameter as follows: "SSL_PROTOCOLS = TLSv1.2 TLSv1.3".