cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Are there any plans to update the SSL certificate of OneAgent in the future?

kohei-saito
Organizer

Hi,

On installation of Linux OneAgent, we are asked to verify signature like this:

Verify signature:
wget https://ca.dynatrace.com....

Once we have installed OneAgent with this certificate, I think we don't have to update the certificate for a while, but are there any plans to update the SSL certificate of OneAgent at some future time?

If you have those plans, please let me know how often and when you update it.

Thanks,
Kohei

8 REPLIES 8

JamesKitson
Dynatrace Leader
Dynatrace Leader

I believe that command to verify the signature is just best practice to ensure there were no issues with the installer and that is in the true installer from Dynatrace that was obtained, it is not mandatory per se. The Security Gateways and Cluster nodes are what have the certificates - the OneAgent itself does not have or need any certificate.

James

Hi, James

Thanks your comment.

I see.

This signature is optionally needed only on installation of OneAgent and it doesn't matter to the running OneAgent whether the certificates are updated or not.

Is my understanding correct?

Thanks,

Kohei

I believe OneAgents handle all of that without manual intervention. Accessing the UI via a browser and a few other scenarios are when a valid SSL certificate becomes important. Note that if you let Dynatrace manage the certificates I believe it automatically updates the certificates via Let's Encrypt over time so this wouldn't be a concern at all.

https://www.dynatrace.com/support/help/installation/monitoring-setup/what-are-the-available-communication-endpoints/#recap

Hi James,

Does the UI (nginx) and the Agent traffic (Security Gateways & The Dynatrace Server on the node) require two different certificates?


I haven't dealt with that extensively yet, I'll update if I come across anything. I imagine since the traffic is all sent HTTPS it definitely needs a valid cert to be secure but dunno about the details of managing that manually. Like nginx might be able to share the cert with the server or something like that.


kohei-saito
Organizer

Hi James,

Thanks for your answers.

I'm getting to understand.


When we download installers, we can optionally download the signature.
It is used for the installation of OneAgent, and it has nothing to do with the connection between installed OneAgent/Private Security Gateway and SaaS Cluster,so we don't have to worry, right?

adam_gardner
Dynatrace Champion
Dynatrace Champion

Step 2 of the wizard (verifying the signature) is optional. Steps 1 and 3 are the mandatory ones - wget the sh script and run it.

kohei-saito
Organizer

Hi @Adam G.,

Thanks.

Yes, as you said, step 1& 3 are mandatory and step 2 is optional.

I didn't seem to understand that well.

The signature is mandantory, so that means it is not used for connection between OneAgent which has been installed and the Dynatrace SaaS Cluster.

@James.K,

I'm sorry for my lack of understanding.

I understand what you said.

I appreciate your kind cooperation!

Kohei