FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Looking to upgrade from Dynatrace Managed to SaaS? See how

Disable port 8020 on Dynatrace Managed

Go to solution
reymond1
Newcomer

‎24 May 2020 04:00 AM - last edited on ‎25 May 2023 08:39 AM by Community Team

Hi Everyone,

I'm totally new with Dynatrace.

Have a question, as it seems I can't find any information on this.

How to disable port 8020 on the Dynatrace Managed server so that communication between the cluster nodes is using on port 8021 (HTTPS)?

Tried to remove port=8020 under webserver section, but it didn't work.

When port 8020 is blocked on subnet level, CMC console shows primary node can't display the storage information for the other, and few other issues as well.

There is also 'connection-mode-webUi=ssl' under the same section, which I enabled, but it doesn't seem to force the connection using SSL. (Not sure if that's the purpose of this directive though).

 

Any idea how to force connection between cluster to use SSL? so that we can block port 8020?

Many thanks

 

Labels:
Reply
3 REPLIES 3

Go to solution
Radoslaw_Szulgo
Dynatrace Guru
Dynatrace Guru

‎24 May 2020 07:33 PM

Here’s the relevant doc page: https://www.dynatrace.com/support/help/shortlink/managed-network-ports

port 8020 can be blocked from incoming access outside of cluster nodes in your firewall. However you can’t block it between nodes as it is needed. Why would you want to do that? If you are concerned about security, keep in mind that’s only internal communication through http port. Also Cassandra and Elasticsearch does not use https due to performance.

Senior Product Manager,
Dynatrace Managed expert
0 Kudos
Reply

Go to solution
reymond1
Newcomer
In response to Radoslaw_Szulgo

‎25 May 2020 12:41 AM

Hi Radoslaw,


Thanks for responding. This is for compliance reason.

Yes, I know it's blocked from external access other than the cluster nodes itself. But, let's say we'll accept the fact that there will be a performance issue, is there any special steps to block this port and only allow port 8021 for communication?

In regards to Elastic and Cassandra, I was planning to port another question in the forum, but you got me there :).

I was able to make Cassandra listen on HTTPS (even on native port on 9042), and there's no issue between Cassandra nodes. But it seems Dynatrace server itself talks to Cassandra via Native port which is now encrypted, of course It will fail. So Dynatrace acts as a Cassandra client in this case, and I couldn't a way to let Dynatrace know that Cassandra native port is now encrypted. From DataStax website, it seems it's possible to configure it in cqlshrc. So I've tried this option by putting it in Cassandra/conf/csqlrc, seems still doesn't work. Any idea if this is documented?

I was also looking at securing Hazelcast component, based on my searching, It looks like It can only be secured using enterprise version, not the open source version. Is this correct?


Thanks,

Reymond

0 Kudos
Reply

Go to solution
Radoslaw_Szulgo
Dynatrace Guru
Dynatrace Guru
In response to reymond1

‎25 May 2020 08:06 AM

In short that is not possible and not supported currently. I’d rather think how to secure the access to the cluster instead.

Senior Product Manager,
Dynatrace Managed expert
0 Kudos
Reply
Ask a question

Featured Posts