Solved: Synthetic Monitoring Security

jose-antonio_ra · ‎26 Dec 2019

Hi all.

we´re working in a managed installation. The customer is interested in Synthetic Monitoring, but they have some questions about security. I read the doc in

- How is the encryption between the browser monitor and the tenant?

- Before the information is sent to the tenant...is the data stored in the Browser? If so, does this information have any security or encryption system? By example, the username, passwords , should not be visible.

- how tenant authentication is performed on the probe. That is, as the probe knows that it is our tenant who wants to execute the script

i´ve review doc in https://www.dynatrace.com/support/help/how-to-use-dynatrace/synthetic-monitoring/

and i not see the answer.

I hope you understand the doubts.

thanks in advanced.

jose A

skrystosik · ‎26 Dec 2019

In general this works differently. You have 2 options. Using public synthetic locations or create local one via ActiveGate. They are working the same. You can record click path that will perform some scenario on your website. This scenario will be sent to public locations or your loca will be used (this one can be used on your private network). Everything is encrypted via SSL.

Than robots will be clicking through your page and record responses in configured frequency. This data are then send encrypted to your Dynatrace server. For public location it is done via Mission Control (DT cluster has access to it), for private locations it is send directly to Dynatrace server. No data are stored in browsers, because robots are setting up headless browser instances just for direct run, collecting data and ending process.

If you will provide credentials to script, nobody will have access to it, but this has to be sent to synthetic location to allow access for script. As I said, all is secured via SSL connection.

There are as well HTTP monitors, not simple option. It only executes request without business scenario and validate response. Good for testing API’s. but from security point of view it is working the same.

Sebastian

Regards, Sebastian

jose-antonio_ra · ‎27 Dec 2019

Thank you very much for the answer, it is very useful.

I have a question, in the record sequence, i must input username and password (and other confidential data) that should be replayed; Are these credentials saved in the script? If this is so, is the password encrypted or ofuscated?

Regards

Jose A

skrystosik · ‎27 Dec 2019

Credentials are saved in dynatrace cluster and send to robots on demand. I don’t know about hashing, this is rather question to someone from Staff. But event if Dynatrace will hash password and confidential data to store them internally (which I hope it does) mechanism has to be reversible because script has to have those data in plain text to fill the form.

Sebastian

Regards, Sebastian

miguel_balsa · ‎17 Jan 2020

Just to add a bit more info to the topic:

Synthetic scripts and credentials are stored in an encrypted database (AES-256).
Transfer of the scripts and credentials is encrypted using TLS 1.2.
Access to the scripts within Dynatrace is only available to administrators.
Dynatrace is recommending to use dedicated test user accounts when creating new synthetic tests.
Further information:
- https://www.dynatrace.com/support/help/shortlink/synthetic-hub
- https://www.dynatrace.com/support/help/shortlink/browser-monitors-config

ChadTurner · ‎17 Jan 2020

Credentials will now be saved in the Credential Vault

-Chad

skrystosik · ‎25 Jan 2020

Here is Articles about credentials vault

https://www.dynatrace.com/news/blog/additional-security-for-synthetic-monitor-credentials-with-the-n...

Regards, Sebastian

nandini_balakri · ‎06 Apr 2020

See also https://www.dynatrace.com/support/help/shortlink/credential-vault