I have installed a Publice Active Gateway (PAG). Version 220.127.116.1100108-111113 on Platform: Linux, Version: 3.10.0-1062.el7.x86_64, Architecture: amd64, Processors: 2 - Running.
On the same server I have installed the java openkit package from https://bintray.com/dynatrace/openkit/com.dynatrace.openkit
Then I have altered the SimpleSample https://github.com/Dynatrace/openkit-java/blob/master/samples/SimpleSample.java for my environment stating the url in my environmen, the application the applicationid and deviceid.
When I run the java application, I get errors about the certificate.
[root@vhpmon540cop007 cbruhn2]# java SimpleSample
2020-02-11T10:52:46.245 ERROR [BeaconSender] HTTPClient sendRequest() - ERROR: STATUS Request failed!
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
I have not altered anything about the certificate that the PAG uses, so it just states it has been issued by dynatrace.
Cluster ActiveGate SSL certificate
Current SSL certificate
Expires: Feb 07, 2030
Is there a way in Dynatrace to export this certificate to other machines ?
I think that this certificate should be exported and then imported with keytools, but I can't find any documentation about how to do this.
The java application is run on the same machine as the PAG so I don't understand why there should be a problem with the certificate, but that is just my ignorance about certificates.
Can anybody help solving this issue, so I could test the openkit setup, before I let java developers access the setup ?
Solved! Go to Solution.
You have the answer right there - "java.security.cert.CertificateException: No subject alternative names". Certificates are verified every time, it does not matter if it is a local connection.
The default self-signed certificate is not a good way to operate Cluster ActiveGate (named Public Security Gateway in the past). You will need a proper certificate issued to FQDN / DNS name of the ActiveGate. Now also with the SNI extension (subject alternative name). So you should get a certificate with SNI extension, including a private key and put it on the ActiveGate. This is done via the CMC console in Dynatrace Managed, not by copying it to the host. If your certificate will be issued by a your local CA and not by a public CA, then you might need to import the CA certificate into the trust store of the JVM you are running so the SSL connection to the gateway can be trusted.
If this is just for testing and getting familiar with OpenKit, you can turn off the SSL validation in the example, see here:
Just add this method call in the initialization of the openkit library:
You are welcome. Of course you need to import that class or package. Just in production I strongly discourage running Cluster ActiveGate with selfsigned certificate or without SSL certificate validation.