cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Looking to upgrade from Dynatrace Managed to SaaS? See how

Reducing TLS ciphers in Managed?

AntonioSousa
DynaMight Guru
DynaMight Guru

In Dynatrace Managed clusters, there is the possibility to limit the ciphers being used, as described in:

https://docs.dynatrace.com/managed/shortlink/managed-custom-install#ssl-certificates-parameters

AntonioSousa_0-1739309216617.png

In a current Managed configuration I see in the configuration file:

SSL_CIPHERS = TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:TLS_AES_128_CCM_SHA256:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES128-CCM

I understand that I have to run the command, with the new list of ciphers. But some doubts:

  • Does this affect both UI access and OneAgent/ActiveGate access?
  • This command affects only the cluster node where it is executed, or the whole cluster?
  • Does it restart the web server process automatically, or do we have to restart it so the new list of ciphers aplies?
Antonio Sousa
4 REPLIES 4

erh_inetum
Champion

Hi Antonio,

  • Does this affect both UI access and OneAgent/ActiveGate access?

I think it affects only to AG.

  • This command affects only the cluster node where it is executed, or the whole cluster?

I think it affects only the cluster node where it is executed

  • Does it restart the web server process automatically, or do we have to restart it so the new list of ciphers aplies?

I think it's only necessary restarting cluster nodes. In case you configure accepted/excluded ciphers via custom.properties on AG it's only necessary restarting AG.

Here you have more information.

Anyway, @stefanie_pachne , could you confirm this information? Thanks in advance.

Hope it helps, Antonio.

Regards,

Elena.

 

Hi,

it affects the communication with this cluster node depending on your setup (https://docs.dynatrace.com/managed/managed-cluster/basic-concepts/managed-deployment-scenarios).

Follow one of these instructions and feel free to contact Live Chat if the instructions are unclear:

Best,
Stefanie

@stefanie_pachne ,
This didn't go as planned:

# /var/opt/dynatrace-managed/installer/server/unix/dynatrace-managed-installer.sh --ssl-ciphers "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384"
Starting Dynatrace 1.316.34.20250608-040133 installer ...              OK
Network proxy used for this upgrade: http://xxx.xxx.xxx.xxx
Testing connection to Dynatrace Mission Control ...                    OK
Verifying system compatibility ...                                     OK
Verifying disk space ...                                               OK
Verifying Dynatrace directories ...                                    OK
Verifying system privileges ...                                        OK
Verifying system connectivity ...                                      OK
Network proxy used for this upgrade: http://xxx.xxx.xxx.xxx
Testing connection to Dynatrace Mission Control ...                    OK
Downloading Dynatrace OneAgent. This may take a few minutes ...        OK
Stopping Dynatrace ...                                                 OK
Preparing system user for Dynatrace ...                                OK
Initializing upgrade ...                                               OK
Checking user permissions ...                                          OK
Fixing selinux rules for binaries if needed ...                        OK
Upgrading Nodekeeper ...                                               OK
Checking file ownership ...                                            OK
Upgrading. This may take a few minutes ...                             failed
failed
Rolling back upgrade ...                                               OK
Starting Dynatrace. This may take up to half an hour ...

 

At the moment, still waiting to see if it recovers... It took about 15 minutes to get to the failed part. Don't know if I did something wrong, but would not recommend this procedure without further clarification from Dynatrace. Quite frankly, changing ciphers shouldn't need all the above...

Antonio Sousa

@AntonioSousa Would you mind following-up with Live Chat?
My current knowledge of related capabilities are tracked here: Troubleshooting/ActiveGate-Managed-VA-scan-shows-vulnerable-cipher-or/ 

Featured Posts