Communication to a Cluster ActiveGate is only possible over encrypted SSL connections. For external communication, a Cluster ActiveGate requires a publicly available IP address and a domain name with a valid SSL certificate. This domain must be different from the Web UI domain.
Configuration possibilities for ActiveGate domain and SSL certificate
Initially, after installation, Cluster ActiveGate will use a self-signed certificate generated by Dynatrace. You can then define a public IP address for the ActiveGate, and you can allow Dynatrace to manage the domain and to generate a valid CA-signed SSL certificate on your behalf. Alternatively, you can provide your own domain name and certificate for the ActiveGate.
- If you allow Dynatrace to manage the domain and generate SSL certificates, then each Cluster ActiveGate with a public IP address will get a dedicated web domain (subdomain of
dynatrace-managed.com) and a trusted SSL certificate.
- If you do not allow Dynatrace to generate SSL certificates for ActiveGates, the ActiveGate will continue to use the self-signed certificate, or a certificate uploaded by the user to the ActiveGate through the Cluster Management Console or using the Cluster REST API v1.
Do not attempt to configure SSL certificates directly to your Cluster ActiveGate, by uploading them to the device itself. If you do this, the certificate will be overwritten by automatic management performed by Dynatrace.
Upload your certificate using the Cluster Management Console or the Cluster REST API v1.
Configure Dynatrace to manage the domain and certificate for Cluster ActiveGate
If you want to allow Dynatrace to manage the domain and certificate, use the Cluster Management Console to configure the following settings:
- Select the ActiveGate in Deployment status > ActiveGates and provide a publicly available IP address for the Cluster ActiveGate.
- For the cluster node, go to Settings > Public endpoints and make sure that the Enable management of domain name and SSL certificates option is enabled.
Configure your own domain name and certificate for Cluster ActiveGate
Before you begin
You need your SSL certificate and the key files you received from Certificate Authority (CA):
Server certificate (
Root and Intermediate certificates (
Private key for certificates (
.pem)Encrypted private keys
We don't support encrypted private keys. To decrypt an SSL private key, run the following command:
openssl rsa -in encrypted.ssl.key -out decrypted.ssl.key
encrypted.ssl.keyis the filename of your encrypted SSL private key.
decrypted.ssl.keyis the output file for your decrypted SSL private key.
The command will prompt you for the password and save the decrypted key in the
Specify the domain and turn off automatic management of domain and certificates
To provide your own domain name and certificate, from the Cluster Management Console, select the cluster node and go to Settings > Public endpoints. Then disable the Enable management of domain name and SSL certificates option.
Then provide your own domain name in the Cluster ActiveGate URL field.
Upload your trusted certificate
If you want to use your own certificate or a CA-issued certificate, upload or paste the certificate to Cluster ActiveGate, either through the Cluster Management Console or the Cluster REST API v1. The following steps show the procedure using the Cluster Management Console:
Sign in to Dynatrace Managed as an administrator.
On the Deployment status page, select the ActiveGate you want to configure.
On the page for the selected ActiveGate, select Edit SSL certificate.
You can either paste or upload the certificates.
- Private key: your private key.
- Public key certificate: your server certificate.
- Certificate chain: your root and intermediate certificates.
The key and certificates need to be in PEM format with the full
BEGIN headers and
Key header and footer format:
-----BEGIN PRIVATE KEY----- (Private Key) -----END PRIVATE KEY-----
Certificate header and footer format:
-----BEGIN CERTIFICATE----- (SSL Certificate) -----END CERTIFICATE-----
Select Save to upload the certificates.
Your certificate is associated with a specific host name. To avoid a name-mismatch error, make sure that the common name (domain name) in the SSL certificate matches the address you specified in the
Cluster ActivGate URL field, in for the cluster node.