Solved: Re: Are there any plans to update the SSL certificate of OneAgent in the future?

kohei-saito · ‎20 Mar 2018

Hi,

On installation of Linux OneAgent, we are asked to verify signature like this:

Verify signature:
wget https://ca.dynatrace.com....

Once we have installed OneAgent with this certificate, I think we don't have to update the certificate for a while, but are there any plans to update the SSL certificate of OneAgent at some future time?

If you have those plans, please let me know how often and when you update it.

Thanks,
Kohei

JamesKitson · ‎20 Mar 2018

I believe that command to verify the signature is just best practice to ensure there were no issues with the installer and that is in the true installer from Dynatrace that was obtained, it is not mandatory per se. The Security Gateways and Cluster nodes are what have the certificates - the OneAgent itself does not have or need any certificate.

James

kohei-saito · ‎26 Mar 2018

Hi, James

Thanks your comment.

I see.

This signature is optionally needed only on installation of OneAgent and it doesn't matter to the running OneAgent whether the certificates are updated or not.

Is my understanding correct?

Thanks,

Kohei

JamesKitson · ‎26 Mar 2018

I believe OneAgents handle all of that without manual intervention. Accessing the UI via a browser and a few other scenarios are when a valid SSL certificate becomes important. Note that if you let Dynatrace manage the certificates I believe it automatically updates the certificates via Let's Encrypt over time so this wouldn't be a concern at all.

https://www.dynatrace.com/support/help/installation/monitoring-setup/what-are-the-available-communication-endpoints/#recap

derek_darling · ‎17 Jul 2018

Hi James,

Does the UI (nginx) and the Agent traffic (Security Gateways & The Dynatrace Server on the node) require two different certificates?

JamesKitson · ‎17 Jul 2018

I haven't dealt with that extensively yet, I'll update if I come across anything. I imagine since the traffic is all sent HTTPS it definitely needs a valid cert to be secure but dunno about the details of managing that manually. Like nginx might be able to share the cert with the server or something like that.

kohei-saito · ‎29 Mar 2018

Hi James,

Thanks for your answers.

I'm getting to understand.

When we download installers, we can optionally download the signature.
It is used for the installation of OneAgent, and it has nothing to do with the connection between installed OneAgent/Private Security Gateway and SaaS Cluster,so we don't have to worry, right?

adam_gardner · ‎29 Mar 2018

Step 2 of the wizard (verifying the signature) is optional. Steps 1 and 3 are the mandatory ones - wget the sh script and run it.

kohei-saito · ‎30 Mar 2018

Hi @Adam G.,

Thanks.

Yes, as you said, step 1& 3 are mandatory and step 2 is optional.

I didn't seem to understand that well.

The signature is mandantory, so that means it is not used for connection between OneAgent which has been installed and the Dynatrace SaaS Cluster.

@James.K,

I'm sorry for my lack of understanding.

I understand what you said.

I appreciate your kind cooperation!

Kohei