cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How can we fix Vulnerability on collector port 9998?

CharlesWu
Guide

In AppMon version 7.x, collector is enabled TLSv1.2 for agents to communicate. However the certificate installed on collectors is using CN=AppMon_server_FQDN, which has triggered a Vulnerability of "SSL Certificate - Subject Common Name Does Not Match Server FQDN". Can you help with the options below:1) If I wanted to disable SSL on collector port 9998, how? 2) If I wanted to get rid of this Vulnerability by using CN=Collector_FQDN, how to install this new certificate to a collector not to affect other collectors and AppMon server? any suggestions are appreciated. Thanks.


10 REPLIES 10

BabarQayyum
Leader

Hello @Charles W.

I did not try by myself but the documented information and link you can review for better understanding.

To enable SSL connections between Collector and Agent, you need to set the DT_USESSLenvironmental variable, or the usessl parameter as true. Encrypted communication uses the same port as non-encrypted.

https://www.dynatrace.com/support/doc/appmon/insta...

Regards,

Babar


Thanks for your input, but I already read this before I posted my question here. My question is not on how to configure agent to use SSL to connect collector. Instead my question is on how to eliminate Vulnerability of "SSL Certificate - Subject Common Name Does Not Match Server FQDN" on collector port 9998 with SSL enabled now in v7.x. We didn't have this issue in v6.5 because SSL was not enabled on collector port 9998.


That page is very misleading. As it implies you can enable SSL between Agent and Collector on the Classic Agent. From recent discussions with dynatrace they advised and recommend not to do this due to the excessive load that would be put on the Agent to Encrypt the byte stream.

I know this is not to do with the initial question. But I do believe that the page reference needs to be updated.


Hello @Darren M.

Thank you for sharing your discussion with the support. This will be really helpful for others but as you said the documented information should be updated because we mostly rely on the it.

Regards,

Babar


Thanks Darren. This is very valuable information. If Dynatrace advised and recommended not to use SSL for agent to connect collector, do you know how to disable SSL? I am guessing maybe there is an option or environment variable, such as nossl=true? If TLSv1.2 is not turned off, our Security Scanner would keep complaining for this Vulnerability.


Hello @Charles W.

I guess open a support case for the same and then also update your post for others to get the benifits.

Regards,

Babar


By default for the AppMon Classic Agent, SSL should be disabled. The AppMon One Agent uses HTTPS to connect to the Collector and as such SSL is enabled for that.


Ok, we are not using AppMon One Agent now, so there is no need to leave SSL enabled on the collector port. Are we able to turn SSL off on the collector port? In v6.5 without SSL enabled, our scanner never complained Vulnerability on Collector side. If we enable SSL, we are required to comply with compliance to meet the standard. Dynatrace really needs to consider this before putting out anything new, otherwise this has become very annoying because we are required to make scanner quiet from complaining Vulnerability.

I did submit a support case, but so far I received as described in the reference, which is why I put out here maybe I got lucky some others ran into same issue.


CharlesWu
Guide

Just wanted to share with you the solution from the support ticket:

Development has created a fix to disable SSL communication between the Classic Agents -> Collectors.This fix is going to be included in public update 7.1.10 which will be available in early to mid August 2018.


Just wanted to share information here: I am able to disable SSL on the collector port by applying v7.1.10 (need to get this from the support) when using the classic agents. I have another ticket for using AppMon agents that needs SSL enabled, and as told the lab will add a new feature in v7.2 to allow deploying a different certificate to collector, so certificate with CN=collector_fqdn instead of CN=DT_server_fqdn, which will address the Vulnerability of "SSL Certificate - Subject Common Name Does Not Match Server FQDN". Hopefully, you don't run into this issue in AppMon, but if so, these are the answers.