FIPS 140-2 compliance
Dynatrace Managed now provides a separate NGINX distribution package with OpenSSL running in FIPS mode. This allows you to set up communication with Dynatrace Managed clusters that is FIPS 140-2 compliant.
To set up FIPS 140-2 compliant communication
- Run the installer with the
--fips-enabled=trueflag (works for both upgrade procedures and fresh installations)
- Instruct all installed OneAgents to use the NGINX endpoint running on port
443. To customize the IP endpoint for OneAgent traffic, go to the Cluster Management Console Home page and click the infographic tile of the cluster node you want to configure. Scroll down to the Customize node endpoints section on the node details page (see example below) to customize the IP endpoint for OneAgent traffic.
To date, OneAgent traffic has been handled by a cluster ActiveGate (previously known as a “Public Managed Security Gateway”. See below for details.). Since Dynatrace Managed version 1.150, it’s been possible to use NGINX as single communication endpoint and conveniently configure a single port. You can disable FIPS mode during cluster upgrade by running the installer with the
--fips-enabled flag set to
Higher supportability with Nodekeeper
We’ve introduced a standalone process running on each node on port
8018 referred to as “Nodekeeper”. The Nodekeeper process starts before all other cluster processes and is the last to be shut down. This allows us to remotely support situations where a cluster is down and the log files and configurations are no longer accessible. Support archives have been extended to include Nodekeeper logs and configuration files.
Also in this release
- We’ve solved performance issues when loading the CMC
Homepage. Especially on larger clusters, the UI was blocked for too long before all components were displayed and the user could proceed. Now the
Homepage is displayed immediately and slow components are indicated with a “loading” label.
- You can now specify the target directory of the self-monitoring agent by specifying the
--agent-dirflag when executing the Dynatrace Managed installer. If you omit the parameter, the agent will be installed at
/opt/dynatrace/agent. Otherwise, the path is used as a symlink that points to a custom location.
- In the course of the renaming of Security Gateway to ActiveGate we updated the terminology in the Web UI and the Dynatrace Managed installer. Public Managed Security Gateways are now referred to as Cluster ActiveGates. This change is visible on the Home page, the former Security Gateway details page, as well as within Public endpoint settings within the CMC.