Set up a proxy for ActiveGate
To set up a proxy for an ActiveGate, update or add parameters in the following files in the ActiveGate configuration directory:
custom.properties
Settings are specified in:
[http.client.internal]
ActiveGate version 1.207+ Settings specific to communication with the Dynatrace Cluster only.
In particular, this section can contain configuration properties related to proxy settings and connection timeouts.If this section does not exist, communication with the Dynatrace Cluster is defined by the settings in the
[http.client]
section. However, if the[http.client.internal]
section does exist, but a particular communication setting is not listed there, then, for the purpose of communicating with the Dynatrace Cluster, the value of that setting is assumed to be its factory default (i.e., it is not inherited from[http.client]
).[http.client]
Communication settings used for AWS/VMware/Azure monitoring and for communicating with the Dynatrace Cluster (unless overridden in
[http.client.internal]
). In particular, this section contains configuration properties related to proxy settings and connection timeouts.[http.client.external]
ActiveGate version 1.207+ Communication settings for specific modules: Cloud Foundry, Kubernetes, and also for Synthetic Monitoring.
In particular, this section can contain configuration properties related to proxy settings and connection timeouts.If this section contains
proxy-off = true
, then there is no proxy for the modules. If it contains theproxy-host
property, then this is the proxy to be used for the modules.Note: Communication settings specified in
[http.client]
are not always used as defaults for the modules: If a particular communication setting is not specified in[http.client.external]
, then that setting—for Cloud Foundry, Kubernetes or Synthetic Monitoring—will revert to its factory default value, rather than to the value specified in[http.client]
.
Similarly, if the entire[http.client.external]
section does not exist, then all of the communication settings for Kubernetes and Cloud Foundry will revert to their factory default values; however, settings for Synthetic Monitoring will assume values as specified in the[http.client]
section.[cloudfoundry_monitoring]
ActiveGate version 1.207+ This section can contain proxy settings for communication with Cloud Foundry. If this section contains
proxy-off = true
, then there is no proxy for communication with Cloud Foundry. If it contains theproxy-host
property, then this is the proxy to be used for Cloud Foundry monitoring, rather than the proxy specified in[http.client.external]
.
Note: If you have a[cloudfoundry_monitoring]
section in yourcustom.properties
file, you also need to have an[http.client.external]
section, where you should specify all the remaining communication parameters that are to be used for Cloud Foundry communication.[kubernetes_monitoring]
ActiveGate version 1.207+ This section can contain proxy settings for communication with Kubernetes, along with other settings related to fine-tuning communication settings for Kubernetes monitoring.
If this section containsproxy-off = true
, then there is no proxy for communication with Kubernetes. If it contains theproxy-host
property, then this is the proxy to be used for Kubernetes monitoring, rather than the proxy specified in[http.client.external]
.
Note: If you have a[kubernetes_monitoring]
section in yourcustom.properties
file, then you also need to have an[http.client.external]
section, where you should specify all of the remaining communication parameters to be used for Kubernetes communication.[synthetic]
ActiveGate version 1.207+ Proxy settings for Synthetic Monitoring. If this section contains
proxy-off = true
, then there is no proxy for Synthetic Monitoring. If it contains theproxy-host
property, then this is the proxy to be used for Synthetic Monitoring, rather than the proxy specified in[http.client.external]
(or in[http.client]
, if[http.client.external]
is not defined).
Note: If you have a[synthetic]
section in yourcustom.properties
file, you can have an[http.client.external]
section, where you should specify all of the remaining communication parameters to be used for Synthetic Monitoring. Alternatively, you can specify the remaining communication settings in the[http.client]
section.
However, if you do create the[http.client.external]
section, you have to specify all of the communication parameters there. Otherwise, the communication parameters for monitored environments (Cloud Foundry, Kubernetes, or Synthetic Monitoring) will revert to their factory defaults.
launcheruserconfig.conf ActiveGate versions 1.205 and earlier
- If the entire section
[http.client.internal]
does not exist, communication with the Dynatrace Cluster is defined by the settings in the[http.client]
section.
- If the entire section
[http.client.external]
does not exist, communication settings for Cloud Foundry and Kubernetes revert to their factory default values. However, Synthetic Monitoring settings, will receive values specified in the[http.client]
section.
If the sections [http.client.internal]
or [http.client.external]
do exist, then communication settings that are not specified explicitly in them, are NOT automatically inherited from the [http.client]
configuration section, but revert to factory defaults.
Thus, if you create an [http.client.internal]
or [http.client.external]
section in your custom.properties
file—for example, for the purpose of specifying proxy settings—you need to specify all of the other communication settings here too—even if these settings are the same as those specified in the [http.client]
section. Otherwise the communication settings will revert to their factory default values (for the respective connectivity, managed by that section).
For example:
If you have an [http.client.internal]
section in your custom.properties
file, but you do not re-list a particular communication property in it, then this communication setting will revert to the factory default value, for communication with the Dynatrace Cluster. Similarly, settings not re-listed in [http.client.external]
, will revert to factory defaults, for Cloud Foundry, Kubernetes and Synthetic.
- Specifying all communication settings:
To configure communication settings in the
[http.client.internal]
or[http.client.external]
section, first re-list the current settings, then customize as required. To re-list the parameters, first, open theconfig.properties
file and copy all the properties from the[http.client]
section in that file to the required section in thecustom.properties
file. Then, if there is an[http.client]
section in thecustom.properties
file, use the values listed there, to overwrite the values just copied fromconfig.properties
.
Specify common proxy settings for Dynatrace Cluster communication and AWS/VMware/Azure monitoring
To configure proxy for communication with Dynatrace Cluster and for AWS/VMware/Azure monitoring, edit the [http.client]
section of the custom.properties
file.
Stop the ActiveGate service and edit the custom.properties
file in the ActiveGate configuration directory
Specify the proxy-related parameters in the [http.client]
section of the custom.properties
file— including those parameters related to authentication, if required:
[http.client]
proxy-server=127.0.0.1
proxy-port=8080
# basic authentication credentials
proxy-user=username
proxy-password=password
optional ActiveGate version 1.207+
Add parameter proxy-non-proxy-hosts
to list hosts that should be accessed without going through the proxy. The items in the list should be separated by the '|' (pipe) character. For a full description of allowed syntax, see the syntax for the http.nonProxyHosts
parameter in Networking Properties:
proxy-non-proxy-hosts = host1|host2|host3
Save the custom.properties
file and restart the ActiveGate service.
Note:
- After applying this configuration, the same proxy server will be used for communication with Dynatrace Cluster and AWS/VMware/Azure. To have separate settings for Dynatrace Cluster communication, follow instructions in Set up proxy only for Dynatrace Cluster communication
- Settings specified in
[http.client]
are not used for connectivity to Cloud Foundry or Kubernetes. Even if there are no sections appropriate for these types of connectivity (that is, no[http.client.external]
or[kubernetes_monitoring]
sections) in the ActiveGate configuration, settings specified in[http.client]
are NOT automatically used for Cloud Foundry or Kubernetes: factory defaults are used instead.
For information how to specify[http.client]
settings during installation, see Customize ActiveGate installation.
Set up proxy for AWS/VMware/Azure monitoring (and exclude Dynatrace Cluster)
You can specify proxy configuration—for communication between ActiveGate and Dynatrace Cluster and for AWS/VMware/Azure monitoring, in the [http.client]
section of the custom.properties
file, as described in Set up proxy for Dynatrace Cluster communication and AWS/VMware/Azure monitoring.
These settings can then be overridden for Dynatrace Cluster, by specifying custom settings in [http.internal]
. To exclude the Dynatrace Cluster from proxy settings, and to disable proxy for Dynatrace Cluster, specify proxy-off=true
in the [http.client.internal]
section of the custom.properties
file.
Stop the ActiveGate service and edit the custom.properties
file in the ActiveGate configuration directory
Specify the proxy-related parameters in the [http.client]
section of the custom.properties
file—including those parameters related to authentication, if required:
[http.client]
proxy-server=127.0.0.1
proxy-port=8080
# basic authentication credentials
proxy-user=username
proxy-password=password
Exclude the Dynatrace Cluster from the proxy settings (or provide different, custom proxy settings for Dynatrace Cluster). This needs to be done in the [http.client.internal]
section of the custom.properties
file:
[http.client.internal]
proxy-off=true
Because settings listed in [http.client.internal]
—which are specific to communication with the Dynatrace Cluster only—are NOT automatically inherited from [http.client]
, you will need to repeat here all non-proxy related communication settings from [http.client]
, with optional customizations as rquired. Otherwise—if there is an [http.client.internal]
section in your custom.properties
file—all the non-proxy related settings for Dynatrace Cluster communication will revert to factory defaults.
- To configure communication settings in
[http.client.internal]
, first re-list the current settings, then customize as required. To re-list the settings, first, open theconfig.properties
file and copy the properties from the[http.client]
section in that file. Then, if there is an[http.client]
section in thecustom.properties
file, use the values listed there, to overwrite the values copied fromconfig.properties
.
For example:
connection-timeout=5000
socket-timeout=20000
connection-request-timeout=5000
idle-connection-timeout=15000
max-total-connections=256
max-connections-per-route=32
certificate-validation=yes
hostname-verification=yes
Save the custom.properties
file and restart the ActiveGate service.
If you want to set up the proxy only for ActiveGate communication to the monitored environment, define the proxy settings in the launcheruserconfig.conf
file using a set of Java system properties with -D
option after -vmargs
.
Stop the ActiveGate service and edit the launcheruserconfig.conf
file.
Set the host name of the proxy server (-Dhttp.proxyHost
and -Dhttps.proxyHost
) and the port number (-Dhttp.proxyPort
and -Dhttps.proxyPort
). You can either append the parameters and values or update the values if the parameters already exist. It is important to specify the parameter values for both HTTP and HTTPS.
For example:
-vmargs
-Dhttp.proxyHost=127.0.0.1
-Dhttps.proxyHost=127.0.0.1
-Dhttp.proxyPort=8080
-Dhttps.proxyPort=8080
Additional proxy settings that you can set:
-Dhttp.proxyUser
-Dhttps.proxyUser
-Dhttp.proxyPassword
-Dhttps.proxyPassword
-Dhttp.nonProxyHosts
By default, the -Dhttp.nonProxyHosts
parameter applies to both HTTP and HTTPS, and it can remain defined only as HTTP.
For a full description of allowed syntax, see Networking Properties.
Specify common proxy settings for Cloud Foundry, Kubernetes and Synthetic Monitoring
ActiveGate version 1.207+
To configure proxy for the Cloud Foundry and Kubernetes modules, specify the proxy settings in the [http.client.external]
section of the custom.properties
file. Alternatively, specify proxy-off = true
in this section to turn off proxy settings for Cloud Foundry and Kubernetes.
Proxy settings specified [http.client.external]
affect Cloud Foundry monitoring, Kubernetes monitoring, and Synthetic Monitoring, unless overridden in configuration sections dedicated to these connectivities.
Stop the ActiveGate service and edit the custom.properties
file in the ActiveGate configuration directory
Specify the proxy-related parameters in the [http.client.external]
section of the custom.properties
file—including those parameters related to authentication, if required:
[http.client.external]
proxy-server=127.0.0.1
proxy-port=8080
# basic authentication credentials
proxy-user=username
proxy-password=password
Alternatively, to turn off proxy for the modules:
proxy-off = true
Because settings listed in [http.client.external]
—which are specific to communication with Cloud Foundry or Kubernetes monitoring—are NOT automatically inherited from [http.client]
, you will need to specify here all non-proxy related communication settings from [http.client]
, with optional customizations as required. Otherwise all other communication settings for the modules, will revert to factory defaults.
- To configure communication settings in the
[http.client.external]
section, first re-list the current settings, then customize as required. To re-list the settings, first, open theconfig.properties
file and copy the properties from the[http.client]
section in that file. Then, if there is an[http.client]
section in thecustom.properties
file, use the values listed there, to overwrite the values copied fromconfig.properties
.
For example:
connection-timeout=5000
socket-timeout=20000
connection-request-timeout=5000
idle-connection-timeout=15000
max-total-connections=256
max-connections-per-route=32
certificate-validation=yes
hostname-verification=yes
Save the custom.properties
file and restart the ActiveGate service.
Set up proxy only for Kubernetes monitoring
ActiveGate version 1.207+
To specify proxy configuration exclusively for Kubernetes, and not for communicating with Cloud Foundry or Synthetic Monitoring, use the [kubernetes_monitoring]
section in the custom.properties
file. Proxy settings specified here, take precedence over the settings specified in [http.client.external]
. You can also specify proxy-off = true
in the [kubernetes_monitoring]
section, to turn off proxy for Kubernetes.
Use the [kubernetes_monitoring]
section of the configuration only for proxy-related settings. To specify other accompanying communication settings, use the [http.client.external]
section.
Stop the ActiveGate service and edit the custom.properties
file in the ActiveGate configuration directory
Specify the proxy-related parameters in the [kubernetes_monitoring]
section of the custom.properties
file—including those parameters related to authentication, if required. Alternatively specify proxy-off = true
to turn off proxy settings for Kubernetes.
[kubernetes_monitoring]
proxy-server=127.0.0.1
proxy-port=8080
# basic authentication credentials
proxy-user=username
proxy-password=password
or to turn off proxy for Kubernetes:
[kubernetes_monitoring]
proxy-off = true
In the [http.client.external]
section in your custom.properties
file, specify all non-proxy related communication settings for Kubernetes. These settings will also apply to Cloud Foundry and Synthetic Monitoring.
Note that communication settings specified in the [http.client]
section, are not automatically used for Kubernetes or Cloud Foundry, and—if not specifed in [http.client.external]
—they will revert to factory defaults, for Cloud Foundry and Kubernetes.
-
To configure communication settings in the
[http.client.external]
section, first re-list the current settings, then customize as required. To re-list the settings, first, open theconfig.properties
file and copy the properties from the[http.client]
section in that file. Then, if there is an[http.client]
section in thecustom.properties
file, use the values listed there, to overwrite the values copied fromconfig.properties
.For example:
connection-timeout=5000
socket-timeout=20000
connection-request-timeout=5000
idle-connection-timeout=15000
max-total-connections=256
max-connections-per-route=32
certificate-validation=yes
hostname-verification=yes
Save the custom.properties
file and restart the ActiveGate service.
Set up proxy only for Cloud Foundry monitoring
ActiveGate version 1.207+
To specify proxy configuration exclusively for Cloud Foundry, and not for communicating with Kubernetes or Synthetic Monitoring, use the [cloudfoundry_monitoring]
section in the custom.properties
file. Proxy settings specified here, take precedence over the settings specified in [http.client.external]
. You can also specify proxy-off = true
in the [cloudfoundry_monitoring]
section, to turn off proxy for Cloud Foundry.
Use the [cloudfoundry_monitoring]
section of the configuration only for proxy-related settings. To specify other accompanying communication settings, use the [http.client.external]
section.
Stop the ActiveGate service and edit the custom.properties
file in the ActiveGate configuration directory
Specify the proxy-related parameters in the [cloudfoundry_monitoring]
section of the custom.properties
file—including those parameters related to authentication, if required. Alternatively specify proxy-off = true
to turn off proxy settings for Cloud Foundry.
[cloudfoundry_monitoring]
proxy-server=127.0.0.1
proxy-port=8080
# basic authentication credentials
proxy-user=username
proxy-password=password
or to turn off proxy for Cloud Foundry:
[cloudfoundry_monitoring]
proxy-off = true
In the [http.client.external]
section in your custom.properties
file, specify all non-proxy related communication settings for Cloud Foundry. These settings will also apply to Kubernetes and Synthetic Monitoring.
Note that communication settings specified in the [http.client]
section, are not automatically used for Cloud Foundry or Cloud Foundry, and—if not specified in [http.client.external]
—they will revert to factory defaults, for Cloud Foundry and Cloud Foundry.
-
To configure communication settings in the
[http.client.external]
section, first re-list the current settings, then customize as required. To re-list the settings, first, open theconfig.properties
file and copy the properties from the[http.client]
section in that file. Then, if there is an[http.client]
section in thecustom.properties
file, use the values listed there, to overwrite the values copied fromconfig.properties
.For example:
connection-timeout=5000
socket-timeout=20000
connection-request-timeout=5000
idle-connection-timeout=15000
max-total-connections=256
max-connections-per-route=32
certificate-validation=yes
hostname-verification=yes
Save the custom.properties
file and restart the ActiveGate service.
Set up proxy only for Dynatrace Cluster communication
To configure proxy exclusively for Dynatrace Cluster, use the [http.client.internal]
section in the custom.properties
file.
Stop the ActiveGate service and edit the custom.properties
file in the ActiveGate configuration directory
In custom.properties
file, create the [http.client.internal]
section (if the section does not already exist).
In the custom.properties
file, in the [http.client.internal]
section, specify parameters related to proxy, including those related to authentication, if required:
[http.client.internal]
proxy-server=127.0.0.1
proxy-port=8080
# basic authentication credentials
proxy-user=username
proxy-password=password
Because settings listed in [http.client.internal]
—specific to communication with the Dynatrace Cluster only—are NOT automatically inherited from [http.client]
, you will need to repeat here all non-proxy related communication settings from [http.client]
, with optional customizations as rquired. Otherwise—if there is an [http.client.internal]
section in your custom.properties
file—all the non-proxy related settings for Dynatrace Cluster communication will revert to factory defaults.
- To configure communication settings in the
[http.client.internal]
section, first re-list the current settings, then customize as required. To re-list the settings, first, open theconfig.properties
file and copy the properties from the[http.client]
section in that file. Then, if there is an[http.client]
section in thecustom.properties
file, use the values listed there, to overwrite the values copied fromconfig.properties
.
For example:
connection-timeout=5000
socket-timeout=20000
connection-request-timeout=5000
idle-connection-timeout=15000
max-total-connections=256
max-connections-per-route=32
certificate-validation=yes
hostname-verification=yes
Save the custom.properties
file and restart the ActiveGate service.
Stop the ActiveGate service and edit the custom.properties
file in the ActiveGate configuration directory
Specify the proxy-related parameters in the [http.client]
section of the custom.properties
file—including those parameters related to authentication, if required:
[http.client]
proxy-server=127.0.0.1
proxy-port=8080
# basic authentication credentials
proxy-user=username
proxy-password=password
Save the custom.properties
file.
Edit the launcheruserconfig.conf
file.
Define the nonProxyHosts
parameter in the launcheruserconfig.conf
file as *
using a set of Java system properties with -D
option after -vmargs
. The nonProxyHosts
parameter indicates the hosts that should be accessed without going through the proxy. Typically this defines internal hosts. The wildcard character *
indicates that all hosts should be accessed directly even if a proxy server is specified.
For full description of allowed syntax, see Networking Properties.
For example:
-vmargs
-Dhttp.nonProxyHosts=*
Save the launcheruserconfig.conf
file and restart the ActiveGate service.
Set up proxy for private Synthetic monitoring
To set up a proxy for communication with the tested resource, set the properties in the [synthetic]
section. To set up a proxy for communication with the Dynatrace server, set the properties in the [http.client]
section. For more information, see Set up a proxy for private synthetic monitoring.
Exclude hosts from proxy communication
Excluding hosts from proxy communication is configured by means of the proxy-non-proxy-hosts
parameter configured in the custom.properties
file.
The proxy-non-proxy-hosts
parameter—if specified in the [http.client]
section of the custom.properties
file—affects ActiveGate communication with the Dynatrace Cluster as well as communication with AWS/VMware/Azure.
proxy-non-proxy-hosts
specified in the [http.client.external]
section of the custom.properties
file, it will affect ActiveGate communication only for the modules (Cloud Foundry, Kubernetes,
Synthetic Monitoring).
You can also specify proxy-non-proxy-hosts
exclusively for Kubernetes, by placing the parameter in the [kubernetes_monitoring]
section, or in [cloudfoundry_monitoring]
for Cloud Foundry.
Note: If you create an [http.client.external]
section in your custom.properties
file, you need to specify all of the other communication settings in that section too, as they should apply to the modules (Clound Foundry, Kubernetes or Synthetic Monitoring). This is because communication settings specified in the [http.client]
section of ActiveGate configuration are not automatically inherited by the [http.client.external]
section.
If you do not do re-specify all of the communications settings, the respective settings for the modules (as managed by [http.client.external]
), will revert to factory defaults.
Stop the ActiveGate service and edit the custom.properties
file in the ActiveGate configuration directory
Specify the hosts that should be accessed without going through the proxy. Typically this defines internal hosts. The value of this property is a list of hosts separated by the '|' (pipe) character. In addition, you can use the wildcard character '*' for pattern matching. There can be only one wildcard character, either at the beginning or the end of the hostname. For example, proxy-non-proxy-hosts=*.foo.com|localhost
indicates that every host in the foo.com
domain and the localhost
should be accessed directly even if a proxy server is specified. For a full description of allowed syntax, see the syntax for the http.nonProxyHosts
parameter in Networking Properties.
For example:
[http.client]
proxy-non-proxy-hosts=hostname0*|10.1.*
Restart the ActiveGate service.
Excluding hosts from proxy communication is configured by means of the nonProxyHosts
parameter configured in the launcheruserconfig.conf
file.
The nonProxyHosts
parameter configured in the launcheruserconfig.conf
file affects only communication between the ActiveGate and the monitored environment. For example, it may be a cloud technology such as AWS or VMware, or a resource monitored by your private monitors executed on a synthetic-enabled ActiveGate.
Stop the ActiveGate service and edit the launcheruserconfig.conf
file. See Configure ActiveGate launcher.
Specify the hosts that should be accessed without going through the proxy. Typically this defines internal hosts. The value of this property is a list of hosts separated by the '|' (pipe) character. In addition, you can use the wildcard character '*' for pattern matching. There can be only one wildcard character, either at the beginning or the end of the hostname. For example, nonProxyHosts=*.foo.com|localhost
indicates that every host in the foo.com
domain and the localhost
should be accessed directly even if a proxy server is specified.
Make sure that the proxy parameters are preceded by the -vmargs
flag.
For example:
-vmargs
-Dhttp.nonProxyHosts=hostname0*|10.1.*
The syntax for specifying the http.nonProxyHosts
parameter can vary depending on your JVM version. Single quotation marks or double quotation marks might be required for your version of JVM.
For a full description of allowed syntax, see, for example, Networking Properties.
For example:
-vmargs
-Dhttp.nonProxyHosts='hostname0*|10.1.*'
or
-vmargs
-Dhttp.nonProxyHosts="hostname0*|10.1.*"
or
-vmargs
-Dhttp.nonProxyHosts="hostname0*|10.1.*"
Restart the ActiveGate service.
Certificate management for Cloud Foundry, Kubernetes, and OpenShift communication
If you're using self-signed certificates for communication to external APIs (for example, for the Cloud Foundry and Kubernetes APIs), you can either add the certificate to the truststore or disable certificate validation in the custom.properties
file.
Add the self-signed certificate to the truststore
ActiveGate version 1.167
Use the method described in Configure trusted root certificates on ActiveGate.
ActiveGate version 1.169+
Bring in the certificate from your cloud provider.
In the following example, we extract the certificate from google.com
and save it locally as dt_k8s_api.pem
. The command is the same for Windows and Linux, assuming you have openssl
installed on Windows.
echo Q | openssl s_client -connect google.com:443 | openssl x509 -outform PEM > dt_k8s_api.pem
For Kubernetes, you can use the following command sequence to get the certificate:
[root@host]# API_ENDPOINT_URL=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')
[root@host]# if [[ $API_ENDPOINT_URL =~ (https?://.*):(\d*) ]]; then API_SERVER_PORT=$API_ENDPOINT_URL; else API_SERVER_PORT="$(echo $API_ENDPOINT_URL | sed -e "s/https:\/\///"):443"; fi
[root@host]# echo -e "${YLW} API server:${NC} ${API_SERVER_PORT}"
[root@host]# echo Q | openssl s_client -connect $API_SERVER_PORT 2>/dev/null | openssl x509 -outform PEM > dt_k8s_api.pem
Add the certificate to the keystore.
You can provide a full path to the pem
file location (including paths to remote locations) using the -file
parameter, or copy the pem
file to your ActiveGate and provide only the filename as indicated in the example.
[root@host]# sudo /opt/dynatrace/gateway/jre/bin/keytool -import -file dt_k8s_api.pem -alias dt_k8s_api -keystore /var/lib/dynatrace/gateway/ssl/mytrusted.jks
If you import multiple certificates, make sure that you provide a unique alias for each certificate that you import. If you use the same alias for each certificate, all previously used certificates will be overwritten.
You can display the list of aliases and the certificate description using the keytool -list
command.
For example:
# sudo /opt/dynatrace/gateway/jre/bin/keytool -list -keystore /var/lib/dynatrace/gateway/ssl/mytrusted.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
dt_k8s_api, Apr 26, 2020,
trustedCertEntry,
Certificate fingerprint (SHA-256): 07:28:9A:F2:29:32:0D:64:F0:18:93:A1:CC:2E:49:21:E9:DA:40:82:9B:A8:71:B7:A4:2C:6D:8C:B3:90:31:31
Add the following entries in the /var/lib/dynatrace/gateway/config/custom.properties
file.
The entry in the custom.properties
file may look like this:
[collector]
trustedstore = mytrusted.jks
# the following entries are optional
trustedstore-password = changeit
trustedstore-type = JKS
The password will be stripped and encrypted when you restart the ActiveGate service.
Restart ActiveGate services.
Disable certificate validation
Disabling certificate validation isn't recommended because it imposes security risks. However, if you still want to disable certificate validation for test environments, you need to do the following:
- From the Dynatrace menu, select Settings > Cloud and virtualization > Kubernetes.
- Look for your cluster and select the Edit button next to it to edit the cluster settings.
- Disable Require valid certificates for communication with API server.
- Disable Verify hostname in certificate against Kubernetes API URL.
- Select Save to save your changes.
These setting override the settings in the ActiveGate
custom.properties
file.
Disable the hostname-verification
and certificate-validation
properties by adding the following to the [http.client.external]
section of your custom.properties
file:
[http.client.external]
hostname-verification = false
certificate-validation = false
ActiveGate version 1.187+
You can now deactivate certificate validation for test environments by disabling the setting Require valid certificates for communication with API server in the web UI.