How to harden your NAM Probe deployment

There are various settings that you can define to make your NAM Probe deployment more secure.

Set the user name and password to configure authorized HTTP and HTTPS access to the NAM Probe from an external device, such as the report server or NAM Console server.

Creating new rtmgate users

The rtmgate is an interface through which the NAM Probe communicates with other Dynatrace components, for example NAM Console, NAM Server or AppMon server. When adding a NAM Probe to NAM Console, you need to provide the rtmgate user credentials. The default user/password pair is adlex/vantage, or compuware/vantage . We highly recommend to change it to harden your NAM Probe security.

To set the name and password, create the /var/lib/tomcats/rtmgate/conf/tomcat-users.xml file (if available, you can use the symbolic link: /usr/adlex/config/tomcat/tomcat-users.xml) in the following format:

Earlier releases

For releases 12.4.10 and earlier, use the /usr/adlex/webapps/ROOT/WEB-INF/users.xml file and location.

Make sure that you maintain the XML syntax.

tomcat-users.xml

<?xml version='1.0' encoding='iso-8859-1'?>
<tomcat-users>
   <role rolename="gate"/>
   <user name="user1" password="9ec62c20118ff506dac139ec30a521d12b9883e55da92b7d9adeefe09ed4e0bd152e2a099339871424263784f" roles="gate"/>
   <user name="user2" password="291116775902b38dd09587ad6235cec503fc14dbf9c09cad761f2e5a5755102eaceb54b95ffd179c22652c391" roles="gate"/>
</tomcat-users>

The user tags contain the name and password attributes that define the username and a SHA-512 hash of the password. Since the only defined role is gate, always set the role attribute to gate.

After the changes are made, use the following commands to restart the NAM Probe:

[root@NAM Probe ~]# service rtmgate stop
...
[root@NAM Probe ~]# service rtmgate start

Creating additional users or modifying the existing rtmgate users

Generate a password for the new rtmgate user.

[root@NAM Probe ~]# echo -n PasswordYouWantToUse | openssl dgst -sha512

Modify the /var/lib/tomcats/rtmgate/conf/tomcat-users.xml file.

The username and password in the tomcat-users.xml file for rtmgate can be anything but the user password is stored as a SHA-512 hash.

Earlier releases

For releases 12.4.10 and earlier, use the /usr/adlex/webapps/ROOT/WEB-INF/users.xml file and location.

Add a new section, or modify the original with the username/password.
For the password parameter, enter the one generated from the command line with openssl command.

<role rolename="gate" />
<user password="c86680b1fa907c90dfa86a07e7d03906861608p0jfs976165ad81f9ac6896b9d55adb255cb39596b55" roles="gate" username="somenewuser" />

Save the file.

Restart the NAM Probe service.

[root@NAM Probe ~]# service rtmgate stop
...
[root@NAM Probe ~]# service rtmgate start

In the NAM Console, modify the NAM Probe connection settings and test the connection.

When prompted, allow the NAM Console to update the references.

Publish the updated references to all NAM Server and ADS instances that utilize that NAM Probe.

Replacing the pre-installed and self-signed SSL certificates

To replace the self-signed SSL certificates on the NAM Probe with a certificate signed by a certificate authority:

Copy your certificate file to /var/lib/tomcats/rtmgate/conf/ location and replace the default certificate file.
Rename your new certificate file to gate_ssl.pem or to gate.crt as necessary.

Earlier releases

For releases 12.4.10 and earlier, use the /usr/adlex/config/ location.

Private key

If you are NOT using any of the anonymous key agreement protocols (DHE, ECDH, ECDHE), your new certificate file must also contain your private key.

If you are using SSL certificate chain, you must indicate a path to the certificate chain in the server.xml file.

  1. Log on as root to the machine running the NAM Probe and edit the /usr/adlex/config/tomcat/server.xml file.
  2. Append the SSLCertificateChainFile property with the path. For example: SSLCertificateChainFile="/path/to/certificatechain.file"

Restart the NAM Probe service.

[root@NAM Probe ~]# service rtmgate stop
...
[root@NAM Probe ~]# service rtmgate start

Additional actions you can perform to improve the security of your NAM Probe installation

  • Filter unwanted traffic.
    By filtering the unwanted traffic on the network adapter level, you can minimize the risk of unsafe packets entering the network adapter's buffers.
  • Remove unnecessary compilers from the Red Hat Enterprise Linux installation.
    While recompilation of drivers used by monitoring NICs may be required if the NAM Probe kernel version differs from the kernel version on which drivers have been compiled (which may occur if the kernel was patched manually or by the automated RHEL system update process), in cases where kernel updates are not planned or will be performed manually, the compiler libraries can be removed.
  • Disable the NAM Probe maintenance port (SSH) and force NAM Probe or Red Hat Enterprise Linux maintenance to be performed directly at the NAM Probe.
  • Configure automatic Linux updates – have Red Hat Enterprise Linux get any recent security patches.
  • Customize Linux.
    As long as your Linux deployment contains the packages required by the NAM Probe, you can use your own customized and secured distribution of Red Hat Enterprise Linux. The RHEL configuration can be changed according to your security needs, including allowing NAM Probe access from specific IP addresses only. The NAM Probe does not open connections to the external world, and its OS can be configured to accept connections only from specific hosts such as the NAM Server and the NAM Console.
  • Install additional firewalls and other security packages on the NAM Probe.
  • Disable or limit unnecessary features.
    While the port numbers can be used for other communication, some of the features and communications are optional and can be disabled or limited. For example, if you do not plan to remotely administer your NAM Probe, you can disable port 22 and manage the NAM Probe configuration via the NAM Console. You can also disable SNMP trap notifications on port 162*.*
  • Remove unnecessary services - file and printer sharing, applications, and network protocols.
  • Maintain the latest operating system version and apply all officially released security patches.
  • Remove any certificate installation files (*.p12 and *.pfx) found on a system. This does not apply to server-based applications that have a requirement for .p12 certificate files (e.g., Oracle Wallet Manager).