This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
Dynatrace Managed Q&A
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Looking to upgrade from Dynatrace Managed to SaaS? See how

How to Disable Port 8022 and Replace Default Certificate on Dynatrace Nodes?

Go to solution
HuseynNajafli
Guide

‎18 Feb 2026 06:57 AM

Hello everyone,

Today we received a notification regarding potential vulnerabilities in Dynatrace. It was mentioned that Dynatrace nodes are accessible via the web on port 8022, for example:

https://dyntarce-node01.test.local:8022

It appears that Dynatrace’s own default certificate is being used there. Although the certificate has a long validity period, it is indicated as not secure. Based on this, I have several questions:

  1. Is it possible to disable port 8022?

  2. Is it possible to block web access via the cluster nodes?

  3. Most importantly, can we replace this certificate with our own internal certificate?

To be honest, I am not fully sure which ports are used for which purposes, and whether they all use the same certificate. If all of them use the same certificate, can we replace it with our internal certificate? If yes, how can we do that?

I would appreciate your assistance.

Thank you.

 

0 Kudos
Reply
5 REPLIES 5

Go to solution
Mizső
DynaMight Guru
DynaMight Guru

‎18 Feb 2026 07:41 AM

Hi @HuseynNajafli 

I think you can diable the 8022 port.

Cluster node ports — Dynatrace Managed Docs

Mizs_0-1771400480350.png

Best regards,

János

Dynatrace Community RockStar 2024, Certified Dynatrace Professional
Reply

Go to solution
HuseynNajafli
Guide
In response to Mizső

‎18 Feb 2026 07:52 AM

Oh, thank you. And certificate?

0 Kudos
Reply

Go to solution
Julius_Loman
DynaMight Legend
DynaMight Legend
In response to HuseynNajafli

‎18 Feb 2026 08:33 AM

You should block this port using the node's local firewall (iptables/nftables).

Changing the certificate on the dynatrace server process (the one listening on 8022 tcp port) is not supported. All communication to cluster node is through the NGINX where you are in control the certificate (or you use Dynatrace issued certs if you use *.dynatrace-managed.com domain). 

Dynatrace Ambassador | Alanata a.s., Slovakia, Dynatrace Master Partner
Reply

Go to solution
HuseynNajafli
Guide
In response to Julius_Loman

‎18 Feb 2026 10:31 AM

Thank you very much.

Just to clarify: does this mean that I can change the certificate used for communication between the nodes themselves? Do Elasticsearch or other components also communicate using the same certificate? And is the certificate used for communication between Dynatrace nodes and Dynatrace servers the same as well?

mcsvc.dynatrace.com, mcsvc-us.dynatrace.com, mcsvc-eu.dynatrace.com, mcsvc-ap.dynatrace.com

If I replace the certificate with our own local certificate, would that cause any issues? When I change the certificate in NGINX, will it automatically change for all other components as well?

Unfortunately, I’m not able to upload images; otherwise, I could have explained everything more clearly with screenshots. By the way, do you know why I might not be able to upload images? It says that I don’t have permission.

0 Kudos
Reply

Go to solution
Julius_Loman
DynaMight Legend
DynaMight Legend
In response to HuseynNajafli

‎18 Feb 2026 11:43 AM

@HuseynNajafli, the only supported way of changing certificates is this one. You shall not try to change any certificate manually by editing config files or changing any certificate stores. This replaces the certificate on the NGINX - and all communication to the cluster node goes through it - except communication between cluster nodes. 

 

Dynatrace Ambassador | Alanata a.s., Slovakia, Dynatrace Master Partner
Reply
Ask a question

Featured Posts