topic Re: Openkit without HTTPS ? in Open Q&A

Openkit without HTTPS ?

AntonioSousa — Wed, 20 May 2020 18:49:24 GMT

I'm having a strange situation where I cannot get an Openkit implementation working. Digging through the details, it seems that it might be related to trying to use a non-HTTPS connection.

In the first place, I'm using an "Instrumented web server", and since this is being done inside an organization, an existing HTTP application was used, with the new termination in /dtmb. I did not give a lot of importance to it, but since the configuration permitted an HTTP:// URL, I did not put an HTTPS:// URL.

A very simple Openkit instrumentation was done, everything appears to be working (no errors), but there is no case where the initial validation openKit.IsInitialized gets TRUE.

Digging through the details I have discovered in

https://www.dynatrace.com/support/help/extend-dynatrace/openkit/installation-and-operation/dynatrace-openkit-api-methods/

that this might be important:

"All OpenKit communication to the backend happens via HTTPS."

Given this, it seems that my HTTP endpoint will probably not work. But since it is allowed in the "Instrumented web server", it might be allowed afterall. Has anybody managed to pass it through an HTTP endpoint? Or any other idea why openKit.IsInitialized would always return FALSE?

Re: Openkit without HTTPS ?

Julius_Loman — Wed, 20 May 2020 19:38:44 GMT

It's a good practice to use the Cluster ActiveGate for this purpose. An instrumented web server should work as well.

I just tried it and it was working for me without any issue (Java with OpenKit library 1.4.2). Which language and library version are you using?

Re: Openkit without HTTPS ?

Julius_Loman — Wed, 20 May 2020 19:50:54 GMT

I believe the statement "All OpenKit communication to the backend happens via HTTPS." refers to Cluster ActiveGate or the Dynatrace beacon forwarder (in case of SaaS).

Re: Openkit without HTTPS ?

AntonioSousa — Tue, 10 Dec 2024 12:59:55 GMT

I believe from your answer that you tried it with HTTP?

Using VB.NET and version 1.4.5.

Re: Openkit without HTTPS ?

Julius_Loman — Wed, 20 May 2020 21:58:48 GMT

Correct. Using http against an instrumented application server. Do you have a correct URL path? (it must end with /mbeacon).
Also OpenKit library does have a verbose option that can be set during initialization. Did you try to turn this on?

Re: Openkit without HTTPS ?

AntonioSousa — Wed, 20 May 2020 22:20:52 GMT

In the latest version, an Instrumented web server must end in /dtmb instead of /mbeacon. Have been wondering if that might be an issue...

Re: Openkit without HTTPS ?

Julius_Loman — Thu, 21 May 2020 07:16:41 GMT

Works as well. Openkit-java-1.4.3 (latest release) with /dtmb . I'm wondering when this change was introduced. Docs still refer the /mbeacon and I did not find anything in the changelogs. Only place is the Dynatrace UI which shows /dtmb when trying to reconfigure the application.

Are you sending directly to the instrumented web server or is some kind of load balancer in the path? (it might filter or otherwise modify the requests). Did you try to turn on the verbose output of openkit?

Re: Openkit without HTTPS ?

AntonioSousa — Thu, 21 May 2020 13:40:50 GMT

Yes, the verbose output reveals that there are HTTP/403 replies from the endpoint. Going to try these approaches, not necessarily by this order:

HTTPS vs HTTP. Given your reply, this doesn't seem to be an issue.
/mbeacon vs /dtmb. Nothing really that I can do here, since I can now only specify /dtmb.
OneAgent on the running system is 1.189, which might mean it is not /dtmb aware...
Some type of intermediate system blocking requests, as you suggest.
Trying to replicate the issue through manual testing. Related to the point before, and trying to follow f«guidelines like the one in the following link, but associated with /dtmb https://www.dynatrace.com/support/help/how-to-use-dynatrace/real-user-monitoring/setup-and-configuration/web-applications/troubleshooting/why-dont-i-see-my-applications-or-monitoring-data/#expand-1182can-i-test-that-the-monitor-signal-passes-through-my-infrastructure
Some type of beacon domain whitelisting, like referenced in the following link, but which has several associated risks: https://www.dynatrace.com/support/help/how-to-use-dynatrace/real-user-monitoring/setup-and-configuration/web-applications/additional-configuration/configure-beacon-domain-whitelist/

Re: Openkit without HTTPS ?

Julius_Loman — Thu, 21 May 2020 14:20:25 GMT

Do just a curl/wget or browser request from the endpoint where you are trying to send data from to the target webserver (e.g. http://myapp.mydomain/dtmb).
The server must reply with HTTP/200

The beacon whitelist might be the cause here as according to docs, OneAgent should reply with HTTP/403 if the domain does not match.

The configuration in Dynatrace UI, whether you send data to Cluster ActiveGate or instrument webserver does not really matter for the app. At least it did not in my case.

Re: Openkit without HTTPS ?

AntonioSousa — Thu, 21 May 2020 17:01:36 GMT

I have figured out it must really be some security in between, and already have a workaround. Both dtmb & mbeacon are available. Let's see if the custom application will go ahead, but that's for tomorrow 😉

Re: Openkit without HTTPS ?

Julius_Loman — Thu, 21 May 2020 19:35:13 GMT

Very likely if you have some load balancer or web application firewall in between, strange things may happen. Please share your findings.

Re: Openkit without HTTPS ?

AntonioSousa — Fri, 22 May 2020 11:20:06 GMT

Yep, it worked! It was a security configuration, that didn't permit /dtmb directly at the beginning of the URL. But once given another "directory", like http://example.com/application/dtmb, it worked! 🙂