Set up a proxy for ActiveGate

To set up a proxy for an ActiveGate, update or add parameters in the following files in the ActiveGate configuration directory:

custom.properties

Settings are specified in:

  • [http.client.internal]

    ActiveGate version 1.207+ Settings specific to communication with the Dynatrace Cluster only.
    In particular, this section can contain configuration properties related to proxy settings and connection timeouts.

    If this section does not exist, communication with the Dynatrace Cluster is defined by the settings in the [http.client] section. However, if the [http.client.internal] section does exist, but a particular communication setting is not listed there, then, for the purpose of communicating with the Dynatrace Cluster, the value of that setting is assumed to be its factory default (i.e., it is not inherited from [http.client]).

  • [http.client]

    Communication settings used for AWS/VMware/Azure monitoring and for communicating with the Dynatrace Cluster (unless overridden in [http.client.internal]). In particular, this section contains configuration properties related to proxy settings and connection timeouts.

  • [http.client.external]

    ActiveGate version 1.207+ Communication settings for specific modules: Cloud Foundry, Kubernetes, and also for Synthetic Monitoring.
    In particular, this section can contain configuration properties related to proxy settings and connection timeouts.

    If this section contains proxy-off = true, then there is no proxy for the modules. If it contains the proxy-host property, then this is the proxy to be used for the modules.

    Note: Communication settings specified in [http.client] are not always used as defaults for the modules: If a particular communication setting is not specified in [http.client.external], then that setting—for Cloud Foundry, Kubernetes or Synthetic Monitoring—will revert to its factory default value, rather than to the value specified in [http.client].
    Similarly, if the entire [http.client.external] section does not exist, then all of the communication settings for Kubernetes and Cloud Foundry will revert to their factory default values; however, settings for Synthetic Monitoring will assume values as specified in the [http.client] section.

  • [cloudfoundry_monitoring]

    ActiveGate version 1.207+ This section can contain proxy settings for communication with Cloud Foundry. If this section contains proxy-off = true, then there is no proxy for communication with Cloud Foundry. If it contains the proxy-host property, then this is the proxy to be used for Cloud Foundry monitoring, rather than the proxy specified in [http.client.external].
    Note: If you have a [cloudfoundry_monitoring] section in your custom.properties file, you also need to have an [http.client.external] section, where you should specify all the remaining communication parameters that are to be used for Cloud Foundry communication.

  • [kubernetes_monitoring]

    ActiveGate version 1.207+ This section can contain proxy settings for communication with Kubernetes, along with other settings related to fine-tuning communication settings for Kubernetes monitoring.
    If this section contains proxy-off = true, then there is no proxy for communication with Kubernetes. If it contains the proxy-host property, then this is the proxy to be used for Kubernetes monitoring, rather than the proxy specified in [http.client.external].
    Note: If you have a [kubernetes_monitoring] section in your custom.properties file, then you also need to have an [http.client.external] section, where you should specify all of the remaining communication parameters to be used for Kubernetes communication.

  • [synthetic]

    ActiveGate version 1.207+ Proxy settings for Synthetic Monitoring. If this section contains proxy-off = true, then there is no proxy for Synthetic Monitoring. If it contains the proxy-host property, then this is the proxy to be used for Synthetic Monitoring, rather than the proxy specified in [http.client.external] (or in [http.client], if [http.client.external] is not defined).
    Note: If you have a [synthetic] section in your custom.properties file, you can have an [http.client.external] section, where you should specify all of the remaining communication parameters to be used for Synthetic Monitoring. Alternatively, you can specify the remaining communication settings in the [http.client] section.
    However, if you do create the [http.client.external] section, you have to specify all of the communication parameters there. Otherwise, the communication parameters for monitored environments (Cloud Foundry, Kubernetes, or Synthetic Monitoring) will revert to their factory defaults.

launcheruserconfig.conf ActiveGate versions 1.205 and earlier

If section [http.client.internal] does not exist, its values revert to [http.client]
  • If the entire section [http.client.internal] does not exist, communication with the Dynatrace Cluster is defined by the settings in the [http.client] section.
If [http.client.external] does not exist, communication settings for some modules will revert to factory defaults
  • If the entire section [http.client.external] does not exist, communication settings for Cloud Foundry and Kubernetes revert to their factory default values. However, Synthetic Monitoring settings, will receive values specified in the [http.client] section.
Always specify all communication settings in [http.client.internal] and [http.client.external]

If the sections [http.client.internal] or [http.client.external] do exist, then communication settings that are not specified explicitly in them, are NOT automatically inherited from the [http.client] configuration section, but revert to factory defaults.
Thus, if you create an [http.client.internal]or [http.client.external] section in your custom.properties file—for example, for the purpose of specifying proxy settings—you need to specify all of the other communication settings here too—even if these settings are the same as those specified in the [http.client] section. Otherwise the communication settings will revert to their factory default values (for the respective connectivity, managed by that section).
For example:
If you have an [http.client.internal] section in your custom.properties file, but you do not re-list a particular communication property in it, then this communication setting will revert to the factory default value, for communication with the Dynatrace Cluster. Similarly, settings not re-listed in [http.client.external], will revert to factory defaults, for Cloud Foundry, Kubernetes and Synthetic.

  • Specifying all communication settings: To configure communication settings in the [http.client.internal] or [http.client.external] section, first re-list the current settings, then customize as required. To re-list the parameters, first, open the config.properties file and copy all the properties from the [http.client] section in that file to the required section in the custom.properties file. Then, if there is an [http.client] section in the custom.properties file, use the values listed there, to overwrite the values just copied from config.properties.

Specify common proxy settings for Dynatrace Cluster communication and AWS/VMware/Azure monitoring

To configure proxy for communication with Dynatrace Cluster and for AWS/VMware/Azure monitoring, edit the [http.client] section of the custom.properties file.

Stop the ActiveGate service and edit the custom.properties file in the ActiveGate configuration directory

Specify the proxy-related parameters in the [http.client] section of the custom.properties file— including those parameters related to authentication, if required:

[http.client]
proxy-server=127.0.0.1
proxy-port=8080
# basic authentication credentials
proxy-user=username
proxy-password=password

optional ActiveGate version 1.207+
Add parameter proxy-non-proxy-hosts to list hosts that should be accessed without going through the proxy. The items in the list should be separated by the '|' (pipe) character. For a full description of allowed syntax, see the syntax for the http.nonProxyHosts parameter in Networking Properties:

proxy-non-proxy-hosts = host1|host2|host3

Save the custom.properties file and restart the ActiveGate service.

Note:

  • After applying this configuration, the same proxy server will be used for communication with Dynatrace Cluster and AWS/VMware/Azure. To have separate settings for Dynatrace Cluster communication, follow instructions in Set up proxy only for Dynatrace Cluster communication
  • Settings specified in [http.client] are not used for connectivity to Cloud Foundry or Kubernetes. Even if there are no sections appropriate for these types of connectivity (that is, no [http.client.external] or [kubernetes_monitoring] sections) in the ActiveGate configuration, settings specified in [http.client] are NOT automatically used for Cloud Foundry or Kubernetes: factory defaults are used instead.
    For information how to specify [http.client] settings during installation, see Customize ActiveGate installation.

Set up proxy for AWS/VMware/Azure monitoring (and exclude Dynatrace Cluster)

You can specify proxy configuration—for communication between ActiveGate and Dynatrace Cluster and for AWS/VMware/Azure monitoring, in the [http.client] section of the custom.properties file, as described in Set up proxy for Dynatrace Cluster communication and AWS/VMware/Azure monitoring.

These settings can then be overridden for Dynatrace Cluster, by specifying custom settings in [http.internal]. To exclude the Dynatrace Cluster from proxy settings, and to disable proxy for Dynatrace Cluster, specify proxy-off=true in the [http.client.internal] section of the custom.properties file.

Stop the ActiveGate service and edit the custom.properties file in the ActiveGate configuration directory

Specify the proxy-related parameters in the [http.client] section of the custom.properties file—including those parameters related to authentication, if required:

[http.client]
proxy-server=127.0.0.1
proxy-port=8080
# basic authentication credentials
proxy-user=username
proxy-password=password

Exclude the Dynatrace Cluster from the proxy settings (or provide different, custom proxy settings for Dynatrace Cluster). This needs to be done in the [http.client.internal] section of the custom.properties file:

[http.client.internal]
proxy-off=true
Specify all communication settings in [http.client.internal]

Because settings listed in [http.client.internal]—which are specific to communication with the Dynatrace Cluster only—are NOT automatically inherited from [http.client], you will need to repeat here all non-proxy related communication settings from [http.client], with optional customizations as rquired. Otherwise—if there is an [http.client.internal] section in your custom.properties file—all the non-proxy related settings for Dynatrace Cluster communication will revert to factory defaults.

  • To configure communication settings in [http.client.internal], first re-list the current settings, then customize as required. To re-list the settings, first, open the config.properties file and copy the properties from the [http.client] section in that file. Then, if there is an [http.client] section in the custom.properties file, use the values listed there, to overwrite the values copied from config.properties.

For example:

connection-timeout=5000
socket-timeout=20000
connection-request-timeout=5000
idle-connection-timeout=15000
max-total-connections=256
max-connections-per-route=32
certificate-validation=yes
hostname-verification=yes

Save the custom.properties file and restart the ActiveGate service.

Specify common proxy settings for Cloud Foundry, Kubernetes and Synthetic Monitoring

ActiveGate version 1.207+

To configure proxy for the Cloud Foundry and Kubernetes modules, specify the proxy settings in the [http.client.external] section of the custom.properties file. Alternatively, specify proxy-off = true in this section to turn off proxy settings for Cloud Foundry and Kubernetes.

Proxy settings specified [http.client.external] affect Cloud Foundry monitoring, Kubernetes monitoring, and Synthetic Monitoring, unless overridden in configuration sections dedicated to these connectivities.

Stop the ActiveGate service and edit the custom.properties file in the ActiveGate configuration directory

Specify the proxy-related parameters in the [http.client.external] section of the custom.properties file—including those parameters related to authentication, if required:

[http.client.external]
proxy-server=127.0.0.1
proxy-port=8080
# basic authentication credentials
proxy-user=username
proxy-password=password

Alternatively, to turn off proxy for the modules:

proxy-off = true
Specify all communication settings in [http.client.external]

Because settings listed in [http.client.external]—which are specific to communication with Cloud Foundry or Kubernetes monitoring—are NOT automatically inherited from [http.client], you will need to specify here all non-proxy related communication settings from [http.client], with optional customizations as required. Otherwise all other communication settings for the modules, will revert to factory defaults.

  • To configure communication settings in the [http.client.external] section, first re-list the current settings, then customize as required. To re-list the settings, first, open the config.properties file and copy the properties from the [http.client] section in that file. Then, if there is an [http.client] section in the custom.properties file, use the values listed there, to overwrite the values copied from config.properties.

For example:

connection-timeout=5000
socket-timeout=20000
connection-request-timeout=5000
idle-connection-timeout=15000
max-total-connections=256
max-connections-per-route=32
certificate-validation=yes
hostname-verification=yes

Save the custom.properties file and restart the ActiveGate service.

Set up proxy only for Kubernetes monitoring

ActiveGate version 1.207+

To specify proxy configuration exclusively for Kubernetes, and not for communicating with Cloud Foundry or Synthetic Monitoring, use the [kubernetes_monitoring] section in the custom.properties file. Proxy settings specified here, take precedence over the settings specified in [http.client.external]. You can also specify proxy-off = true in the [kubernetes_monitoring] section, to turn off proxy for Kubernetes.

Use the [kubernetes_monitoring] section of the configuration only for proxy-related settings

Use the [kubernetes_monitoring] section of the configuration only for proxy-related settings. To specify other accompanying communication settings, use the [http.client.external] section.

Stop the ActiveGate service and edit the custom.properties file in the ActiveGate configuration directory

Specify the proxy-related parameters in the [kubernetes_monitoring] section of the custom.properties file—including those parameters related to authentication, if required. Alternatively specify proxy-off = true to turn off proxy settings for Kubernetes.

[kubernetes_monitoring]
proxy-server=127.0.0.1
proxy-port=8080
# basic authentication credentials
proxy-user=username
proxy-password=password

or to turn off proxy for Kubernetes:

[kubernetes_monitoring]
proxy-off = true
Configure all communication settings in the [http.client.external] section

In the [http.client.external] section in your custom.properties file, specify all non-proxy related communication settings for Kubernetes. These settings will also apply to Cloud Foundry and Synthetic Monitoring. Note that communication settings specified in the [http.client] section, are not automatically used for Kubernetes or Cloud Foundry, and—if not specifed in [http.client.external]—they will revert to factory defaults, for Cloud Foundry and Kubernetes.

  • To configure communication settings in the [http.client.external] section, first re-list the current settings, then customize as required. To re-list the settings, first, open the config.properties file and copy the properties from the [http.client] section in that file. Then, if there is an [http.client] section in the custom.properties file, use the values listed there, to overwrite the values copied from config.properties.

    For example:

connection-timeout=5000
socket-timeout=20000
connection-request-timeout=5000
idle-connection-timeout=15000
max-total-connections=256
max-connections-per-route=32
certificate-validation=yes
hostname-verification=yes

Save the custom.properties file and restart the ActiveGate service.

Set up proxy only for Cloud Foundry monitoring

ActiveGate version 1.207+

To specify proxy configuration exclusively for Cloud Foundry, and not for communicating with Kubernetes or Synthetic Monitoring, use the [cloudfoundry_monitoring] section in the custom.properties file. Proxy settings specified here, take precedence over the settings specified in [http.client.external]. You can also specify proxy-off = true in the [cloudfoundry_monitoring] section, to turn off proxy for Cloud Foundry.

Use the [cloudfoundry_monitoring] section of the configuration only for proxy-related settings

Use the [cloudfoundry_monitoring] section of the configuration only for proxy-related settings. To specify other accompanying communication settings, use the [http.client.external] section.

Stop the ActiveGate service and edit the custom.properties file in the ActiveGate configuration directory

Specify the proxy-related parameters in the [cloudfoundry_monitoring] section of the custom.properties file—including those parameters related to authentication, if required. Alternatively specify proxy-off = true to turn off proxy settings for Cloud Foundry.

[cloudfoundry_monitoring]
proxy-server=127.0.0.1
proxy-port=8080
# basic authentication credentials
proxy-user=username
proxy-password=password

or to turn off proxy for Cloud Foundry:

[cloudfoundry_monitoring]
proxy-off = true
Configure all communication settings in the [http.client.external] section

In the [http.client.external] section in your custom.properties file, specify all non-proxy related communication settings for Cloud Foundry. These settings will also apply to Kubernetes and Synthetic Monitoring. Note that communication settings specified in the [http.client] section, are not automatically used for Cloud Foundry or Cloud Foundry, and—if not specified in [http.client.external]—they will revert to factory defaults, for Cloud Foundry and Cloud Foundry.

  • To configure communication settings in the [http.client.external] section, first re-list the current settings, then customize as required. To re-list the settings, first, open the config.properties file and copy the properties from the [http.client] section in that file. Then, if there is an [http.client] section in the custom.properties file, use the values listed there, to overwrite the values copied from config.properties.

    For example:

connection-timeout=5000
socket-timeout=20000
connection-request-timeout=5000
idle-connection-timeout=15000
max-total-connections=256
max-connections-per-route=32
certificate-validation=yes
hostname-verification=yes

Save the custom.properties file and restart the ActiveGate service.

Set up proxy only for Dynatrace Cluster communication

To configure proxy exclusively for Dynatrace Cluster, use the [http.client.internal] section in the custom.properties file.

Stop the ActiveGate service and edit the custom.properties file in the ActiveGate configuration directory

In custom.properties file, create the [http.client.internal] section (if the section does not already exist).

In the custom.properties file, in the [http.client.internal] section, specify parameters related to proxy, including those related to authentication, if required:

[http.client.internal]
proxy-server=127.0.0.1
proxy-port=8080
# basic authentication credentials
proxy-user=username
proxy-password=password
Specify all communication settings in the [http.client.internal] section

Because settings listed in [http.client.internal]—specific to communication with the Dynatrace Cluster only—are NOT automatically inherited from [http.client], you will need to repeat here all non-proxy related communication settings from [http.client], with optional customizations as rquired. Otherwise—if there is an [http.client.internal] section in your custom.properties file—all the non-proxy related settings for Dynatrace Cluster communication will revert to factory defaults.

  • To configure communication settings in the [http.client.internal] section, first re-list the current settings, then customize as required. To re-list the settings, first, open the config.properties file and copy the properties from the [http.client] section in that file. Then, if there is an [http.client] section in the custom.properties file, use the values listed there, to overwrite the values copied from config.properties.

For example:

connection-timeout=5000
socket-timeout=20000
connection-request-timeout=5000
idle-connection-timeout=15000
max-total-connections=256
max-connections-per-route=32
certificate-validation=yes
hostname-verification=yes

Save the custom.properties file and restart the ActiveGate service.

Set up proxy for private Synthetic monitoring

To set up a proxy for communication with the tested resource, set the properties in the [synthetic] section. To set up a proxy for communication with the Dynatrace server, set the properties in the [http.client] section. For more information, see Set up a proxy for private synthetic monitoring.

Exclude hosts from proxy communication

Excluding hosts from proxy communication is configured by means of the proxy-non-proxy-hosts parameter configured in the custom.properties file.

The proxy-non-proxy-hosts parameter—if specified in the [http.client] section of the custom.properties file—affects ActiveGate communication with the Dynatrace Cluster as well as communication with AWS/VMware/Azure. proxy-non-proxy-hosts specified in the [http.client.external] section of the custom.properties file, it will affect ActiveGate communication only for the modules (Cloud Foundry, Kubernetes, Synthetic Monitoring).
You can also specify proxy-non-proxy-hosts exclusively for Kubernetes, by placing the parameter in the [kubernetes_monitoring] section, or in [cloudfoundry_monitoring] for Cloud Foundry.

Note: If you create an [http.client.external] section in your custom.properties file, you need to specify all of the other communication settings in that section too, as they should apply to the modules (Clound Foundry, Kubernetes or Synthetic Monitoring). This is because communication settings specified in the [http.client] section of ActiveGate configuration are not automatically inherited by the [http.client.external] section.
If you do not do re-specify all of the communications settings, the respective settings for the modules (as managed by [http.client.external]), will revert to factory defaults.

Stop the ActiveGate service and edit the custom.properties file in the ActiveGate configuration directory

Specify the hosts that should be accessed without going through the proxy. Typically this defines internal hosts. The value of this property is a list of hosts separated by the '|' (pipe) character. In addition, you can use the wildcard character '*' for pattern matching. There can be only one wildcard character, either at the beginning or the end of the hostname. For example, proxy-non-proxy-hosts=*.foo.com|localhost indicates that every host in the foo.com domain and the localhost should be accessed directly even if a proxy server is specified. For a full description of allowed syntax, see the syntax for the http.nonProxyHosts parameter in Networking Properties.

For example:

[http.client]
proxy-non-proxy-hosts=hostname0*|10.1.*

Restart the ActiveGate service.

Certificate management for Cloud Foundry, Kubernetes, and OpenShift communication

If you're using self-signed certificates for communication to external APIs (for example, for the Cloud Foundry and Kubernetes APIs), you can either add the certificate to the truststore or disable certificate validation in the custom.properties file.

Add the self-signed certificate to the truststore

ActiveGate version 1.167

Use the method described in Configure trusted root certificates on ActiveGate.

ActiveGate version 1.169+

Bring in the certificate from your cloud provider.
In the following example, we extract the certificate from google.com and save it locally as dt_k8s_api.pem. The command is the same for Windows and Linux, assuming you have openssl installed on Windows.

echo Q | openssl s_client -connect google.com:443 | openssl x509 -outform PEM > dt_k8s_api.pem

For Kubernetes, you can use the following command sequence to get the certificate:

[root@host]# API_ENDPOINT_URL=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')
[root@host]# if [[ $API_ENDPOINT_URL =~ (https?://.*):(\d*) ]]; then API_SERVER_PORT=$API_ENDPOINT_URL; else API_SERVER_PORT="$(echo $API_ENDPOINT_URL | sed -e "s/https:\/\///"):443"; fi
[root@host]# echo -e "${YLW} API server:${NC} ${API_SERVER_PORT}"

[root@host]# echo Q | openssl s_client -connect $API_SERVER_PORT 2>/dev/null | openssl x509 -outform PEM > dt_k8s_api.pem

Add the certificate to the keystore.
You can provide a full path to the pem file location (including paths to remote locations) using the -file parameter, or copy the pem file to your ActiveGate and provide only the filename as indicated in the example.

[root@host]# sudo /opt/dynatrace/gateway/jre/bin/keytool -import -file dt_k8s_api.pem -alias dt_k8s_api -keystore /var/lib/dynatrace/gateway/ssl/mytrusted.jks

If you import multiple certificates, make sure that you provide a unique alias for each certificate that you import. If you use the same alias for each certificate, all previously used certificates will be overwritten.

You can display the list of aliases and the certificate description using the keytool -list command.

For example:

# sudo /opt/dynatrace/gateway/jre/bin/keytool -list -keystore /var/lib/dynatrace/gateway/ssl/mytrusted.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
dt_k8s_api, Apr 26, 2020,
trustedCertEntry,
Certificate fingerprint (SHA-256): 07:28:9A:F2:29:32:0D:64:F0:18:93:A1:CC:2E:49:21:E9:DA:40:82:9B:A8:71:B7:A4:2C:6D:8C:B3:90:31:31

Add the following entries in the /var/lib/dynatrace/gateway/config/custom.properties file.

The entry in the custom.properties file may look like this:

[collector]
trustedstore = mytrusted.jks
# the following entries are optional
trustedstore-password = changeit
trustedstore-type = JKS
Encrypted password

The password will be stripped and encrypted when you restart the ActiveGate service.

Restart ActiveGate services.

Disable certificate validation

Disabling certificate validation isn't recommended because it imposes security risks. However, if you still want to disable certificate validation for test environments, you need to do the following:

  1. From the Dynatrace menu, select Settings > Cloud and virtualization > Kubernetes.
  2. Look for your cluster and select the Edit button next to it to edit the cluster settings.
  3. Disable Require valid certificates for communication with API server.
  4. Disable Verify hostname in certificate against Kubernetes API URL.
  5. Select Save to save your changes. These setting override the settings in the ActiveGate custom.properties file.