Setting up a proxy for ActiveGate

To set up a proxy for an ActiveGate, update or add the authentication parameters to the custom.properties or launcheruserconfig.conf file.

Configuration override

If you define the same parameters in the custom.properties and launcheruserconfig.conf files, the proxy parameters defined in the custom.properties file will override the corresponding parameters in the launcheruserconfig.conf file.

To set a proxy for communication between ActiveGate and Dynatrace server and for AWS/VMware/Azure monitoring, configure the parameters in the custom.properties file.
To set a proxy only for AWS/VMware/Azure monitoring, configure the parameters in the launcheruserconfig.conf file.
To set a proxy only for communication between ActiveGate and Dynatrace server (no AWS/VMware/Azure monitoring), configure the parameters in the custom.properties file and in the launcheruserconfig.conf file.
To set up a proxy for communication with a private synthetic tested resource alone or with Dynatrace server, configure parameters in the custom.properties file. See Setting up proxy for private synthetic.

Depending on your ActiveGate version and deployment setup, the configuration files are located in the following directories and folders:

custom.properties
/var/lib/dynatrace/gateway/config
or
/var/lib/dynatrace/gateway/gateway/config
launcheruserconfig.conf
On Linux: /var/lib/dynatrace/gateway/config/launcheruserconfig.conf
On Windows: %PROGRAMDATA%\dynatrace\gateway\config\launcheruserconfig.conf

Setting proxy for Dynatrace server communication and for AWS/VMware/Azure monitoring

To set a proxy for communication between ActiveGate and Dynatrace server and for AWS/VMware/Azure monitoring:

Stop the ActiveGate and edit the custom.properties file.

See Where can I find ActiveGate files?

Specify the proxy-related parameters in the [http.client] section of the custom.properties file—in particular, those parameters related to authentication, such as:

[http.client]
proxy-server=127.0.0.1
proxy-port=8080
# basic authentication credentials
proxy-user=username
proxy-password=password

You also can use the proxy-server and proxy-port parameters in the command-line ActiveGate installation:

PROXY=<proxy server>:<proxy port>

See Customize ActiveGate installation

Save the custom.properties file and restart the ActiveGate.

Setting proxy only for Cloud Foundry and Kubernetes monitoring

The Dynatrace Cloud Foundry and Kubernetes monitoring integrations require the scheme [http.client.external] to configure a proxy for communication with the respective API.

Stop the ActiveGate and edit the custom.properties file.

See Where can I find ActiveGate files?

Specify the proxy-related parameters in the [http.client.external] section of the custom.properties file—in particular, those parameters related to authentication, such as:

[http.client.external]
proxy-server=127.0.0.1
proxy-port=8080
# basic authentication credentials
proxy-user=username
proxy-password=password

See Customize ActiveGate installation

Save the custom.properties file and restart the ActiveGate.

Certificate management for Cloud Foundry, Kubernetes, and OpenShift communication

If you're using self-signed certificates for communication to external APIs (for example, for the Cloud Foundry and Kubernetes APIs), you can either add the certificate to the truststore or disable certificate validation in the custom.properties file.

Add the self-signed certificate to the truststore

ActiveGate version 1.167

Use the method described in Configure trusted root certificates on ActiveGate.

ActiveGate version 1.169+

Bring in the certificate from your cloud provider.
In the following example, we extract the certificate from google.com and save it locally as dt_k8s_api.pem. The command is the same for Windows and Linux, assuming you have openssl installed on Windows.

echo Q | openssl s_client -connect google.com:443 | openssl x509 -outform PEM > dt_k8s_api.pem

For Kubernetes, you can use the following command sequence to get the certificate:

[root@host]# API_ENDPOINT_URL=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')
[root@host]# if [[ $API_ENDPOINT_URL =~ (https?://.*):(\d*) ]]; then API_SERVER_PORT=$API_ENDPOINT_URL; else API_SERVER_PORT="$(echo $API_ENDPOINT_URL | sed -e "s/https:\/\///"):443"; fi
[root@host]# echo -e "${YLW} API server:${NC} ${API_SERVER_PORT}"

[root@host]# echo Q | openssl s_client -connect $API_SERVER_PORT 2>/dev/null | openssl x509 -outform PEM > dt_k8s_api.pem

Add the certificate to the keystore.
You can provide a full path to the pem file location (including paths to remote locations) using the -file parameter, or copy the pem file to your ActiveGate and provide only the filename as indicated in the example.

[root@host]# sudo /opt/dynatrace/gateway/jre/bin/keytool -import -file dt_k8s_api.pem -alias dt_k8s_api -keystore /var/lib/dynatrace/gateway/ssl/mytrusted.jks

If you import multiple certificates, make sure that you provide a unique alias for each certificate that you import. If you use the same alias for each certificate, all previously used certificates will be overwritten.

You can display the list of aliases and the certificate description using the keytool -list command.

For example:

# sudo /opt/dynatrace/gateway/jre/bin/keytool -list -keystore /var/lib/dynatrace/gateway/ssl/mytrusted.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
dt_k8s_api, Apr 26, 2020,
trustedCertEntry,
Certificate fingerprint (SHA-256): 07:28:9A:F2:29:32:0D:64:F0:18:93:A1:CC:2E:49:21:E9:DA:40:82:9B:A8:71:B7:A4:2C:6D:8C:B3:90:31:31

Add the following entries in the /var/lib/dynatrace/gateway/config/custom.properties file.

The entry in the custom.properties file may look like this:

[collector]
trustedstore = mytrusted.jks
# the following entries are optional
trustedstore-password = changeit
trustedstore-type = JKS

Encrypted password

The password will be stripped and encrypted when you restart the ActiveGate.

Restart ActiveGate services.

[root@host]# sudo service dynatracegateway stop
[root@host]# sudo service dynatracegateway start

Disable certificate validation

Disabling certificate validation isn't recommended because it imposes security risks. However, if you still want to disable certificate validation for test environments, you need to disable the hostname-verification and certificate-validation properties by adding the following to the [http.client.external] scheme of your custom.properties file:

[http.client.external]
hostname-verification = false
certificate-validation = false

ActiveGate version 1.187+
You can now deactivate certificate validation for test environments by disabling the setting Require valid certificates for communication with API server in the web UI.

Setting proxy only for AWS/VMware/Azure communication

If you want to set up the proxy only for ActiveGate communication to the monitored environment, define the proxy settings in the launcheruserconfig.conf file using a set of Java system properties with -D option after -vmargs.

Stop the ActiveGate and edit the launcheruserconfig.conf file.

Set the host name of the proxy server (-Dhttp.proxyHost and -Dhttps.proxyHost) and the port number (-Dhttp.proxyPort and -Dhttps.proxyPort). You can either append the parameters and values or update the values if the parameters already exist. It is important to specify the parameter values for both HTTP and HTTPS.

For example:

  -vmargs
  -Dhttp.proxyHost=127.0.0.1
  -Dhttps.proxyHost=127.0.0.1

  -Dhttp.proxyPort=8080
  -Dhttps.proxyPort=8080

Additional proxy settings that you can set:

  -Dhttp.proxyUser
  -Dhttps.proxyUser

  -Dhttp.proxyPassword
  -Dhttps.proxyPassword

  -Dhttp.nonProxyHosts

Dhttp.nonProxyHosts

By default, the -Dhttp.nonProxyHosts parameter applies to both HTTP and HTTPS, and it can remain defined only as HTTP.

Setting proxy only for Dynatrace Server communication

Stop the ActiveGate and edit the custom.properties file.

See Where can I find ActiveGate files?

Specify the proxy-related parameters in the [http.client] section of the custom.properties file—in particular, those parameters related to authentication, such as:

[http.client]
proxy-server=127.0.0.1
proxy-port=8080
# basic authentication credentials
proxy-user=username
proxy-password=password

Save the custom.properties file.

Edit the launcheruserconfig.conf file.

Define the nonProxyHosts parameter in the launcheruserconfig.conf file as * using a set of Java system properties with -D option after -vmargs. The nonProxyHosts parameter indicates the hosts that should be accessed without going through the proxy. Typically this defines internal hosts. The wildcard character * indicates that all hosts should be accessed directly even if a proxy server is specified. See Java Networking and Proxies For example:

  -vmargs
  -Dhttp.nonProxyHosts=*

Save the launcheruserconfig.conf file and restart the ActiveGate.

Setting proxy for private synthetic

To set a proxy for communication with the tested resource, set the properties in the [synthetic] section. To set a proxy for communication with the Dynatrace server, set the properties in the [http.client] section. For more information, see Setting up proxy for private synthetic.

Excluding hosts from proxy communication

The nonProxyHosts parameter configured in the launcheruserconfig.conf file affects only communication between the ActiveGate and the monitored environment. For example, it may be a cloud technology such as AWS or VMware, or a resource monitored by your private monitors executed on a synthetic-enabled ActiveGate.

Stop the ActiveGate and edit the launcheruserconfig.conf file. See Configure ActiveGate launcher.

The hosts that should be accessed without going through the proxy. Typically this defines internal hosts. The value of this property is a list of hosts separated by the '|' character. In addition, you can use the wildcard character '*' for pattern matching. There can be only one wildcard character, either at the beginning or the end of the hostname. For example, nonProxyHosts=*.foo.com|localhost indicates that every host in the foo.com domain and the localhost should be accessed directly even if a proxy server is specified.

Make sure that the proxy parameters are preceded by the -vmargs flag.

For example:

-vmargs
-Dhttp.nonProxyHosts=hostname0*|10.1.*

JVM version

The syntax for specifying the host variable may vary depending on your JVM version. Single quotation marks or double quotation marks may be required for your version of JVM.

For example:

-vmargs
-Dhttp.nonProxyHosts='hostname0*|10.1.*'

-vmargs
-Dhttp.nonProxyHosts="hostname0*|10.1.*"

-vmargs
-Dhttp.nonProxyHosts="hostname0*|10.1.*"

Restart the ActiveGate.