11 Feb 2025 09:49 PM
In Dynatrace Managed clusters, there is the possibility to limit the ciphers being used, as described in:
https://docs.dynatrace.com/managed/shortlink/managed-custom-install#ssl-certificates-parameters
In a current Managed configuration I see in the configuration file:
SSL_CIPHERS = TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:TLS_AES_128_CCM_SHA256:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES128-CCM
I understand that I have to run the command, with the new list of ciphers. But some doubts:
Solved! Go to Solution.
12 Feb 2025 11:33 AM
Hi Antonio,
I think it affects only to AG.
I think it affects only the cluster node where it is executed
I think it's only necessary restarting cluster nodes. In case you configure accepted/excluded ciphers via custom.properties on AG it's only necessary restarting AG.
Here you have more information.
Anyway, @stefanie_pachne , could you confirm this information? Thanks in advance.
Hope it helps, Antonio.
Regards,
Elena.
13 Feb 2025 07:58 AM - edited 13 Feb 2025 10:01 AM
Hi,
it affects the communication with this cluster node depending on your setup (https://docs.dynatrace.com/managed/managed-cluster/basic-concepts/managed-deployment-scenarios).
Follow one of these instructions and feel free to contact Live Chat if the instructions are unclear:
Best,
Stefanie
23 Jun 2025 11:47 PM
@stefanie_pachne ,
This didn't go as planned:
# /var/opt/dynatrace-managed/installer/server/unix/dynatrace-managed-installer.sh --ssl-ciphers "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384"
Starting Dynatrace 1.316.34.20250608-040133 installer ... OK
Network proxy used for this upgrade: http://xxx.xxx.xxx.xxx
Testing connection to Dynatrace Mission Control ... OK
Verifying system compatibility ... OK
Verifying disk space ... OK
Verifying Dynatrace directories ... OK
Verifying system privileges ... OK
Verifying system connectivity ... OK
Network proxy used for this upgrade: http://xxx.xxx.xxx.xxx
Testing connection to Dynatrace Mission Control ... OK
Downloading Dynatrace OneAgent. This may take a few minutes ... OK
Stopping Dynatrace ... OK
Preparing system user for Dynatrace ... OK
Initializing upgrade ... OK
Checking user permissions ... OK
Fixing selinux rules for binaries if needed ... OK
Upgrading Nodekeeper ... OK
Checking file ownership ... OK
Upgrading. This may take a few minutes ... failed
failed
Rolling back upgrade ... OK
Starting Dynatrace. This may take up to half an hour ...
At the moment, still waiting to see if it recovers... It took about 15 minutes to get to the failed part. Don't know if I did something wrong, but would not recommend this procedure without further clarification from Dynatrace. Quite frankly, changing ciphers shouldn't need all the above...
24 Jun 2025 08:42 AM
@AntonioSousa Would you mind following-up with Live Chat?
My current knowledge of related capabilities are tracked here: Troubleshooting/ActiveGate-Managed-VA-scan-shows-vulnerable-cipher-or/