ActiveGate FIPS compliance
ActiveGate version 1.315+
What is FIPS?
The Federal Information Processing Standard (FIPS) is "a standard for adoption and use by federal departments and agencies that has been developed within the Information Technology Laboratory and published by NIST, a part of the U.S. Department of Commerce. A FIPS covers some topic in information technology to achieve a common level of quality or some level of interoperability" (source: NIST glossary).
FIPS compliance means that a product adheres to all security requirements imposed by the standard.
ActiveGate FIPS-compliant mode
ActiveGate deployed in FIPS-compliant mode uses FIPS-certified cryptographic libraries:
- Amazon Corretto Crypto Provider 2.4.1 (which uses AWS-LC-FIPS 2.x as its cryptographic module, see Certificate #4816)
- BouncyCastle 2.0.0 (see Certificate #4743)
ActiveGate purposes compatibility
excluding Extension Execution Controller module (same as regular, non-FIPS ActiveGate).
refer to Requirements and limitations for Synthetic FIPS compliance.
Host-based ActiveGate deployment
FIPS-compliant mode can be enabled during ActiveGate installation. For details, see Customize ActiveGate installation on Linux.
Requirements
- Linux x86-64 or ARM64 (AArch64)
- Operating system with FIPS-compliant mode enabled
- The ActiveGate installer verifies the configuration of the operating system by checking whether the FIPS-compliant mode status stored in
/proc/sys/crypto/fips_enabledevaluates to value of1 - If the ActiveGate installer is started in FIPS-compliant mode while the operating system does not have FIPS-compliant mode enabled, the installer stops and exits with an error
- The ActiveGate installer verifies the configuration of the operating system by checking whether the FIPS-compliant mode status stored in
Containerized ActiveGate deployment
Containerized ActiveGate deployments rely on FIPS-compliant images, which are available for the following architectures:
- x86-64
- ARM64 (AArch64)
Container registries
FIPS-compliant ActiveGate images are available in our supported public registries with the image tag suffix -fips.
Example: public.ecr.aws/dynatrace/dynatrace-activegate:1.315.70.20241127-162512-fips
See Configure DynaKube to use images from public registry for details on how to instruct Dynatrace Operator to use images from the public registry.
Verification of FIPS-compliant mode
To verify whether ActiveGate is running in FIPS-compliant mode, look up the following entry in the ActiveGate logs (see below how to access logs depending on the ActiveGate deployment type):
2025-06-10 12:16:14 UTC INFO [<tenant>] [FipsDetector] FIPS mode active: true
When FIPS mode active is true, all libraries and configuration related to FIPS compliance are properly initialized and ActiveGate is running in FIPS-compliant mode.
If ActiveGate was installed in FIPS-compliant mode or a FIPS-compliant image was used, but the initialization of FIPS libraries fails or required configuration is missing, ActiveGate cancels its startup and writes the following entries to the log file:
ActiveGate FIPS mode initialization failed
Additionally, a log line describes the specific reason causing the initialization failure.
Accessing logs in host-based deployment
ActiveGate log files have the pattern dynatracegateway.0.<number>.log and can be found in the ActiveGate logs directory (see ActiveGate directories).
Accessing logs in containerized deployment
Logs from containerized ActiveGates can be retrieved using the following command:
kubectl -n <NAMESPACE> logs statefulset.apps/<DYNAKUBE_NAME>-activegate
In case there are multiple replicas configured, logs from a single pod will be returned.
To get logs from a specific pod, use the following command:
kubectl -n <NAMESPACE> logs pod/<DYNAKUBE_NAME>-activegate-<REPLICA_NUMBER>
Supported cipher suites
Cipher suite
TLS version
TLS1.3
TLS1.3
TLS1.2, TLS1.3
TLS1.2, TLS1.3
TLS1.2, TLS1.3
TLS1.2, TLS1.3
TLS1.2, TLS1.3
TLS1.2, TLS1.3
TLS1.2, TLS1.3
TLS1.2, TLS1.3