Dynatrace Managed feature update, version 1.156

Adaptive load reduction with Dynatrace traffic management

By default, Dynatrace is set up to trace every single request. As this implies increased network and storage requirements, particularly within large Dynatrace Managed installations, we’ve made this a configurable setting with the latest release of Dynatrace Managed.

As part of this “Adaptive Traffic Management and Data retention” effort, we now display a configuration option in the Managed Cluster Management Console (CMC). To change the setting, select the environment you want to configure from the Environments menu. This will take you to the details view where you can modify the Adaptive capture control setting, as shown below:

The default value is 1,000 new paths per minute.

Enhanced preferences for proactive cluster support

We proactively alert you of any incompatibilities or technology-specific risks related to your environment. By default, we report information from OneAgent, process technologies, hosts, ActiveGates, and related entities. This information is used for support, product improvement, and research purposes. The relevant setting has been added to Preferences in the Settings section of the CMC.

Note: If you disable this feature, we won’t be able to see the OneAgent versions you have installed and therefore can’t provide you with complete proactive support.

Introducing TLS 1.2 and improved cipher security

By default, we now use TLS 1.2 for communication with Dynatrace Managed clusters and we’ve disabled the usage of ciphers that are considered less secure. For compatibility reasons, however, we still provide the option to switch back to existing, less secure settings. We now provide built-in security policies. Each security policy defines a set of allowed SSL protocols and ciphers that are applied to NGINX instances on each cluster node:

  • legacy: Reflects currently used settings. Used for existing installations during upgrades.
  • default: Contains TLS 1.2 and only the most secure (and OpenSSL validated) ciphers. Used for new installations.
  • fips: Allows for TLSv1, TLSv1.1, TLSv1.2, and ciphers that are specified in the latest FIPS recommendations. Used for FIPS installations.

These policies can be passed as arguments to the installer when installing new or upgrading existing cluster nodes. We added the following command-line parameters to the installer:

  • --ssl-protocols: Accepts a space-separated list of protocols that are accepted by SSL connections or a policy name. Replaces the default list.
  • --ssl-ciphers: Defines ciphers that are accepted by SSL connections or a policy name. Replaces the default definition.

Another option to change the SSL policies for existing clusters is to change SSL_PROTOCOLS and SSL_CIPHERS entries in /etc/dynatrace.conf, analogous to the installer parameters. Changes go into effect with the next upgrade.

Resolved issues

  • Due to a NIST reported vulnerability we had to disable the Apache Thrift server on our Cassandra nodes.
  • We resolved an issue around Mission Control flooding recipients with e-mails.
  • ActiveGates on Dynatrace Managed nodes didn’t preserve changes made to custom.properties during upgrades.
  • In some cases, the free quota of custom metrics wasn’t correctly calculated.
  • We addressed an undisclosed potential security vulnerability around unauthorized token access.

Also in this release

  • We’ve updated the Help page on supported operating system requirements for Dynatrace Managed. We now explicitly state supported platforms and versions. Fresh installations disallow unsupported versions. During upgrades, warnings are raised only.
  • Due to security vulnerabilities, we updated the JRE for the installer component to version 8, build 181.
  • On the Home page of the CMC, you can now see each node’s IP address next to the node ID.

Other new features

Additionally, all new features introduced with Dynatrace SaaS Version 1.155 and Version 1.156 are now also supported by Dynatrace Managed.