This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Looking to upgrade from Dynatrace Managed to SaaS? See how

Reducing TLS ciphers in Managed?

Go to solution
AntonioSousa
DynaMight Guru
DynaMight Guru

‎11 Feb 2025 09:49 PM

In Dynatrace Managed clusters, there is the possibility to limit the ciphers being used, as described in:

https://docs.dynatrace.com/managed/shortlink/managed-custom-install#ssl-certificates-parameters

AntonioSousa_0-1739309216617.png

In a current Managed configuration I see in the configuration file:

SSL_CIPHERS = TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:TLS_AES_128_CCM_SHA256:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES128-CCM

I understand that I have to run the command, with the new list of ciphers. But some doubts:

  • Does this affect both UI access and OneAgent/ActiveGate access?
  • This command affects only the cluster node where it is executed, or the whole cluster?
  • Does it restart the web server process automatically, or do we have to restart it so the new list of ciphers aplies?
Antonio Sousa
0 Kudos
Reply
4 REPLIES 4

Go to solution
erh_inetum
Champion

‎12 Feb 2025 11:33 AM

Hi Antonio,

  • Does this affect both UI access and OneAgent/ActiveGate access?

I think it affects only to AG.

  • This command affects only the cluster node where it is executed, or the whole cluster?

I think it affects only the cluster node where it is executed

  • Does it restart the web server process automatically, or do we have to restart it so the new list of ciphers aplies?

I think it's only necessary restarting cluster nodes. In case you configure accepted/excluded ciphers via custom.properties on AG it's only necessary restarting AG.

Here you have more information.

Anyway, @stefanie_pachne , could you confirm this information? Thanks in advance.

Hope it helps, Antonio.

Regards,

Elena.

 

0 Kudos
Reply

Go to solution
stefanie_pachne
Dynatrace Helper
Dynatrace Helper
In response to erh_inetum

‎13 Feb 2025 07:58 AM - edited ‎13 Feb 2025 10:01 AM

Hi,

it affects the communication with this cluster node depending on your setup (https://docs.dynatrace.com/managed/managed-cluster/basic-concepts/managed-deployment-scenarios).

Follow one of these instructions and feel free to contact Live Chat if the instructions are unclear:

Best,
Stefanie

Reply

Go to solution
AntonioSousa
DynaMight Guru
DynaMight Guru
In response to stefanie_pachne

‎23 Jun 2025 11:47 PM

@stefanie_pachne ,
This didn't go as planned:

# /var/opt/dynatrace-managed/installer/server/unix/dynatrace-managed-installer.sh --ssl-ciphers "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384"
Starting Dynatrace 1.316.34.20250608-040133 installer ...              OK
Network proxy used for this upgrade: http://xxx.xxx.xxx.xxx
Testing connection to Dynatrace Mission Control ...                    OK
Verifying system compatibility ...                                     OK
Verifying disk space ...                                               OK
Verifying Dynatrace directories ...                                    OK
Verifying system privileges ...                                        OK
Verifying system connectivity ...                                      OK
Network proxy used for this upgrade: http://xxx.xxx.xxx.xxx
Testing connection to Dynatrace Mission Control ...                    OK
Downloading Dynatrace OneAgent. This may take a few minutes ...        OK
Stopping Dynatrace ...                                                 OK
Preparing system user for Dynatrace ...                                OK
Initializing upgrade ...                                               OK
Checking user permissions ...                                          OK
Fixing selinux rules for binaries if needed ...                        OK
Upgrading Nodekeeper ...                                               OK
Checking file ownership ...                                            OK
Upgrading. This may take a few minutes ...                             failed
failed
Rolling back upgrade ...                                               OK
Starting Dynatrace. This may take up to half an hour ...

 

At the moment, still waiting to see if it recovers... It took about 15 minutes to get to the failed part. Don't know if I did something wrong, but would not recommend this procedure without further clarification from Dynatrace. Quite frankly, changing ciphers shouldn't need all the above...

Antonio Sousa
0 Kudos
Reply

Go to solution
stefanie_pachne
Dynatrace Helper
Dynatrace Helper
In response to AntonioSousa

‎24 Jun 2025 08:42 AM

@AntonioSousa Would you mind following-up with Live Chat?
My current knowledge of related capabilities are tracked here: Troubleshooting/ActiveGate-Managed-VA-scan-shows-vulnerable-cipher-or/ 

0 Kudos
Reply
Ask a question

Featured Posts