Cipher configuration for ActiveGate

  • Latest Dynatrace
  • 2-min read

Dynatrace components communicate through SSL. SSL communication uses ciphers to encrypt HTTP requests. However, not all available ciphers are nowadays still considered to be secure enough. Therefore, several ciphers are by default excluded by Dynatrace (for example, all MD5, all RC4, all DES, all DSS). To check which ciphers are supported and to ensure the correct cipher naming, always use Nmap for the cipher scan on the ActiveGate process, as other tools might use a different naming syntax, while Nmap uses the same syntax as Dynatrace.

To properly configure ciphers on your ActiveGate follow the instructions below.

  1. Scan the supported ciphers on the ActiveGate using Nmap. The result of the scan will be a list like the following:

    List of supported ciphers
    PORT     STATE SERVICE
    9999/tcp open  abyss
    | ssl-enum-ciphers:
    |   TLSv1.2:
    |     ciphers:
    |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
    |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
    |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
    |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
    |       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
    |       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
    |       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
    |       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
    |     compressors:
    |       NULL
    |     cipher preference: server
    |_  least strength: A

  2. Configure ciphers using agctl property command or by manually editing configuration files.

    Typically, you will either define the included or the excluded ciphers, but not both. Note that if a cipher has been defined in the list of both the included as well as the excluded ones, it will be regarded as excluded. In other words, exclude takes precedence over include.

    We only support pattern exclusions, so excluding TLS_DHE_RSA_WITH_AES_256_CBC_SHA will also exclude TLS_DHE_RSA_WITH_AES_256_CBC_SHA384.

    ActiveGate version 1.333+

    You can use agctl to configure cipher settings.

    Exclude unwanted ciphers

    Exclude specific ciphers:

    # Exclude specific ECDHE ciphers
    agctl property set --section=com.compuware.apm.webserver --key=excluded-ciphers --value=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

    Exclude using pattern (recommended):

    The list can become long and hard to maintain if the underlying OpenSSL changes. A more robust/dynamic way is to use a sub-pattern:

    # Exclude all ciphers containing TLS_ECDHE_
    agctl property set --section=com.compuware.apm.webserver --key=excluded-ciphers --value=TLS_ECDHE_

    In this example, all cipher names that contain the string TLS_ECDHE_ will be excluded. This pattern will exclude additional ciphers if the underlying list changes, for example, due to OpenSSL updates.

    Exclude using suffix pattern:

    To exclude a suffix pattern, end the pattern string with $. To exclude SHA without excluding SHA256, specify SHA$ as a pattern:

    # Exclude multiple patterns
    agctl property set --section=com.compuware.apm.webserver --key=excluded-ciphers --value=TLS_RSA_WITH,_SHA$

    Include specific ciphers

    Alternatively, you can define which ciphers you want to be included:

    # Include only ciphers containing _ECDHE_
    agctl property set --section=com.compuware.apm.webserver --key=included-ciphers --value=_ECDHE_

  3. After configuring ciphers, you must restart ActiveGate for the changes to take effect.