We recommend using custom certificates for ActiveGates to increase security.
See Custom SSL certificate for ActiveGate.
Ensure ActiveGate tokens are enforced in your environment. To do so, check the status of your ActiveGate token usage and take action based on the outcome.
To migrate to ActiveGate token-based security, start by determining the status of your ActiveGate token usage.
If Dynatrace displays a message like this:
If Dynatrace displays a message like this:
If Dynatrace displays a message like this:
ActiveGate tokens come in two types:
The format of an ActiveGate token consists of three parts separated by dots (.
).
Example:
dt0g02.4KWZO5EF.XT47R5DRADJIZUFOX4UDNOKTSUSABGLN7XSMJG7UXHRXKNY4WLORH4OF4T75MG7E
Part
Name
Description
1
prefix
The first part (dt0g02
in the example above) is the token prefix. It identifies the token type.
2
public
The second part (4KWZO5EF
in the example above) is the 8-character public portion of the token.
Together, the prefix and the public portion comprise the token identifier.
You can safely display the token identifier in the web UI and use it for logging purposes.
3
secret
The third part (XT47R5DRADJIZUFOX4UDNOKTSUSABGLN7XSMJG7UXHRXKNY4WLORH4OF4T75MG7E
in the example above) is the 64-character secret portion of the token.
Treat the secret portion like a password. It shouldn't be displayed in Dynatrace (following initial creation) or stored in log files.
All your ActiveGates have already been gradually migrated to use ActiveGate tokens during the ActiveGate updates starting with ActiveGate version 1.225.
To check which of your ActiveGates have ActiveGate tokens enabled
If all of your ActiveGates are ready for token-based network security for 30 days, your environment will automatically switch to ActiveGate token-based network security.
If you want to speed up the process and you are sure that there are only ActiveGates version 1.225+ in your environment, you can force the switch to ActiveGate tokens whenever you're ready.
The transitional period of 30 days is designed to prevent data loss from ActiveGates where new tokens are not implemented in your environment.
During that period, if any attempt to connect without an ActiveGate token is detected:
If your ActiveGates don't use valid ActiveGate tokens, you can check to learn why the tokens are invalid.
In Dynatrace, go to Deployment Status and select ActiveGates.
Select Check ActiveGate token statuses.
This option is only available if there are problems with the ActiveGate tokens.
Depending on the status, you may be required to perform some actions to transition to ActiveGate token-based network security.
The ActiveGate version supports ActiveGate tokens, but it's still using the tenant token for communication. Generate and configure a new ActiveGate token.
The ActiveGate token is set to expire in 30 or fewer days. If your environment has ActiveGate tokens enforced, your ActiveGate will lose its connection after the token expires.
The ActiveGate is configured to use an ActiveGate token, but the format is invalid. Generate and configure a new ActiveGate token.
The ActiveGate is configured to use an ActiveGate token and the token format is valid, but the token isn't recognized by the Dynatrace Cluster. Generate and configure a new ActiveGate token.
The ActiveGate is using a valid ActiveGate token to authenticate.
The ActiveGate is version 1.223 or earlier; ActiveGate token-based network security is supported for ActiveGate version 1.225+.
If your ActiveGate is deployed as a StatefulSet, you need to generate an ActiveGate token and add it to your configuration.
If your ActiveGate is deployed by using Dynatrace Operator, Dynatrace Operator handles the authorization token. Starting with Dynatrace Operator version 0.9.0+, you must enable the Create ActiveGate tokens (activeGateTokenManagement.create
) scope. For details, see Access tokens and permissions.
For issues with your ActiveGate token, see Problem with ActiveGate token in Dynatrace Community.
All host-based ActiveGates installed via the Dynatrace web UI or Dynatrace API already have an automatically generated ActiveGate token. However, you may sometimes need to generate an ActiveGate token and configure it in the authorization.properties
file.
Generate an API token. Select one of the following token scopes to limit access for security reasons:
Save the token.
It's displayed only once.
Use the ActiveGate tokens API - POST a token endpoint to create the token. Authorize your call with the API token you just created. For example, the following command will generate an ActiveGate token with the following parameters:
ENVIRONMENT
6 months
seedToken
is false).Starting with Dynatrace version 1.293+, you must ensure that the expirationDate field is not set in the past and does not exceed two years from the moment of creation.
Command:
curl -X POST "https://{your-environment-id}.live.dynatrace.com/api/v2/activeGateTokens" \-H 'Authorization: Api-Token {api-token}' \-H 'Accept: application/json; charset=utf-8' \-H 'Content-Type: application/json; charset=utf-8' \-d '{"name": "myToken","expirationDate": "now+6M","seedToken": false,"activeGateType": "ENVIRONMENT"}'
Replace:
{your-environment-id}
with your Environment ID{api-token}
with an API token set to one of the following scopes: Create ActiveGate tokens or Write ActiveGate tokens.Response body example:
{"id": "dt0g02.4KWZO5EF","token": "dt0g02.4KWZO5EF.XT47R5DRADJIZUFOX4UDNOKTSUSABGLN7XSMJG7UXHRXKNY4WLORH4OF4T75MG7E","expirationDate": "2020-11-24T08:15:30.144Z"}
authorization.properties
file.authToken
property. For example:
authToken = dt0g02.4KWZO5EF.XT47R5DRADJIZUFOX4UDNOKTSUSABGLN7XSMJG7UXHRXKNY4WLORH4OF4T75MG7E # present, if required
Besides setting up your internal mechanism for rotating ActiveGate tokens before their expiration date, you can set up notifications about expiring ActiveGate tokens. To do so, create a problem notification integration (for example, Email) using the built-in Default for ActiveGate Token Expiry alerting profile.
For Dynatrace Managed, emergency contacts also receive token expiry notifications.
To stop notifications
Dynatrace version 1.272+
Dynatrace performs an automatic cleanup of unused ActiveGate tokens. The token is considered unused after two years from the last usage. You can check your tokens via the GET all tokens request of the Tokens API—look for the lastUsedDate field.
{"activeGateTokens": [{"id": "dt0g02.abc123","name": "system:installer","owner": "max.mustermann@company.com","creationDate": "2021-11-22T11:39:29.797Z","seedToken": true,"activeGateType": "ENVIRONMENT"},{"id": "dt0g02.321cba","name": "system:installer","owner": "john.smith@company.com","creationDate": "2021-11-30T14:11:40.913Z","seedToken": true,"activeGateType": "ENVIRONMENT"},{"id": "dt0g02.123abc","name": "system:initial-setup","owner": "mary.brown@company.com","creationDate": "2021-10-22T13:48:00.135Z","expirationDate": "2021-12-02T11:52:17.201Z","lastUsedDate": "2020-11-24T08:15:30.144Z","seedToken": false,"activeGateType": "ENVIRONMENT"}],"nextPageKey": "AAAAAAAAAAAAAABOAAAAAAAAAAAAAAA6ACQAEAAAABgACgAITFdXQk1BRzYAAAhtZXRhZGF0YQB___-bf___m3iIYxfF7xVQvY72rwblQkcAAwAAAAAAAADHAAAAZA==","pageSize": 100,"totalCount": 1000}