question

Kohei S. avatar image
Kohei S. asked ·

Are there any plans to update the SSL certificate of OneAgent in the future?

Hi,

On installation of Linux OneAgent, we are asked to verify signature like this:

Verify signature:
wget https://ca.dynatrace.com....

Once we have installed OneAgent with this certificate, I think we don't have to update the certificate for a while, but are there any plans to update the SSL certificate of OneAgent at some future time?

If you have those plans, please let me know how often and when you update it.

Thanks,
Kohei

oneagentinstallation
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Adam G. avatar image
Adam G. answered ·

Step 2 of the wizard (verifying the signature) is optional. Steps 1 and 3 are the mandatory ones - wget the sh script and run it.

Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Kohei S. avatar image
Kohei S. answered ·

Hi @Adam G.,

Thanks.

Yes, as you said, step 1& 3 are mandatory and step 2 is optional.

I didn't seem to understand that well.

The signature is mandantory, so that means it is not used for connection between OneAgent which has been installed and the Dynatrace SaaS Cluster.

@James.K,

I'm sorry for my lack of understanding.

I understand what you said.

I appreciate your kind cooperation!

Kohei

Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Kohei S. avatar image
Kohei S. answered ·

Hi James,

Thanks for your answers.

I'm getting to understand.

When we download installers, we can optionally download the signature.
It is used for the installation of OneAgent, and it has nothing to do with the connection between installed OneAgent/Private Security Gateway and SaaS Cluster,so we don't have to worry, right?

Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

James K. avatar image
James K. answered ·

I believe that command to verify the signature is just best practice to ensure there were no issues with the installer and that is in the true installer from Dynatrace that was obtained, it is not mandatory per se. The Security Gateways and Cluster nodes are what have the certificates - the OneAgent itself does not have or need any certificate.

James

4 comments Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Hi, James

Thanks your comment.

I see.

This signature is optionally needed only on installation of OneAgent and it doesn't matter to the running OneAgent whether the certificates are updated or not.

Is my understanding correct?

Thanks,

Kohei

0 Likes 0 · ·

I believe OneAgents handle all of that without manual intervention. Accessing the UI via a browser and a few other scenarios are when a valid SSL certificate becomes important. Note that if you let Dynatrace manage the certificates I believe it automatically updates the certificates via Let's Encrypt over time so this wouldn't be a concern at all.

https://www.dynatrace.com/support/help/installation/monitoring-setup/what-are-the-available-communication-endpoints/#recap

1 Like 1 · ·

Hi James,

Does the UI (nginx) and the Agent traffic (Security Gateways & The Dynatrace Server on the node) require two different certificates?

0 Likes 0 · ·

I haven't dealt with that extensively yet, I'll update if I come across anything. I imagine since the traffic is all sent HTTPS it definitely needs a valid cert to be secure but dunno about the details of managing that manually. Like nginx might be able to share the cert with the server or something like that.

0 Likes 0 · ·