23 May 2020 08:00 PM - last edited on 25 May 2023 12:39 AM by Karolina_Linda
I'm totally new with Dynatrace.
Have a question, as it seems I can't find any information on this.
How to disable port 8020 on the Dynatrace Managed server so that communication between the cluster nodes is using on port 8021 (HTTPS)?
Tried to remove port=8020 under webserver section, but it didn't work.
When port 8020 is blocked on subnet level, CMC console shows primary node can't display the storage information for the other, and few other issues as well.
There is also 'connection-mode-webUi=ssl' under the same section, which I enabled, but it doesn't seem to force the connection using SSL. (Not sure if that's the purpose of this directive though).
Any idea how to force connection between cluster to use SSL? so that we can block port 8020?
Solved! Go to Solution.
Here’s the relevant doc page: https://www.dynatrace.com/support/help/shortlink/managed-network-ports
port 8020 can be blocked from incoming access outside of cluster nodes in your firewall. However you can’t block it between nodes as it is needed. Why would you want to do that? If you are concerned about security, keep in mind that’s only internal communication through http port. Also Cassandra and Elasticsearch does not use https due to performance.
Thanks for responding. This is for compliance reason.
Yes, I know it's blocked from external access other than the cluster nodes itself. But, let's say we'll accept the fact that there will be a performance issue, is there any special steps to block this port and only allow port 8021 for communication?
In regards to Elastic and Cassandra, I was planning to port another question in the forum, but you got me there :).
I was able to make Cassandra listen on HTTPS (even on native port on 9042), and there's no issue between Cassandra nodes. But it seems Dynatrace server itself talks to Cassandra via Native port which is now encrypted, of course It will fail. So Dynatrace acts as a Cassandra client in this case, and I couldn't a way to let Dynatrace know that Cassandra native port is now encrypted. From DataStax website, it seems it's possible to configure it in cqlshrc. So I've tried this option by putting it in Cassandra/conf/csqlrc, seems still doesn't work. Any idea if this is documented?
I was also looking at securing Hazelcast component, based on my searching, It looks like It can only be secured using enterprise version, not the open source version. Is this correct?
In short that is not possible and not supported currently. I’d rather think how to secure the access to the cluster instead.