Set up SSL communication

This page describes how to set up SSL / encrypted communication between AppMon tiers. Use SSL encrypted communication.

Data sent between browsers and web servers is typically in plain text. SSL encryption is a protocol that provides a layer of data security in situations where a network may have unsecured elements such as non-WPA2 wireless data transfer.

Enable SSL encryption

AppMon Server - Collector connection

By default Collectors connect using SSL (default port 6699) to the Server and the latter accepts both, SSL (default SSL port 6699) and non-SSL (default non-SSL port 6698) connections.

If you want to disallow non-SSL and you got the Collectors running, restart the Server before you switch off non-SSL. Make sure you change the Collectors to the SSL port used to connect to the Server.

You can change the port for connected Collectors in the Client by selecting Settings > Dynatrace Server > Collectors, then selecting a Collector in the list and changing configuration in lower pane.

For disconnected Collectors, change the port to SSL in collector.config.xml manually as shown below.

AppMon Client - AppMon Server connection

Both SSL encryption (default port 2021) and compression are enabled by default. It is no longer possible to enable the non-SSL communication port (2020) of the AppMon Server from the user interface. See Client Communication Setup for more information.

AppMon Agent - Collector connection

To enable SSL connections between Collector and AppMon Agent, you need to set the DT_USESSL environmental variable, or the usessl parameter as true. See the configuration topic for a particular Agent to learn how. Encrypted communication uses the same port as non-encrypted.

Web Server agents

The Apache, IIS, and NGINX Agents don't communicate with the Collector directly.

  • On the Classic Agent platform, the Web Server master Agent communicates with the Collector. See Web Server Master Agent configuration for the configuration instructions.
  • On the OneAgent platform, the OneAgent communicates with the Collector. The OneAgent uses SSL by default, you just need to make sure that the required Collector port is open. See OneAgent configuration for the configuration instructions.

Manually change the AppMon Collector port to SSL

If the AppMon Collector is not connected to the AppMon Server, you can only change the port by editing the collector configuration file. The collector configuration file is installed to <DT_HOME>/collector/conf/collector.config.xml by default.

Set the port that the Collector should use to connect to the AppMon Server by changing the serverport attribute of the <collectorconfig> element. (XPath: /dynatrace/collectorconfig/@serverport). By default the Server listens for SSL connections on 6699.

If you want the tiers to communicate on a different port, you must also change it in Server settings. In the Client, select Settings > Dynatrace Server > Services > General and set the SSL Listen Port. When the Server is stopped, edit collectorsslport in <DT_HOME>/server/conf/server.config.xml.

<dynatrace ...>
   <collectorconfig serverport="6699" serveraddress="localhost" ... />