Communication to a Cluster ActiveGate is only possible over encrypted SSL connections. For external communication, a Cluster ActiveGate requires a publicly available IP address and a domain name with a valid SSL certificate. This domain must be different from the Web UI domain.
Initially, after installation, Cluster ActiveGate will use a self-signed certificate generated by Dynatrace. You can then define a public IP address for the ActiveGate, and you can allow Dynatrace to manage the domain and to generate a valid CA-signed SSL certificate on your behalf. Alternatively, you can provide your own domain name and certificate for the ActiveGate.
dynatrace-managed.com) and a trusted SSL certificate.Do not attempt to configure SSL certificates directly to your Cluster ActiveGate, by uploading them to the device itself. If you do this, the certificate will be overwritten by automatic management performed by Dynatrace.
Upload your certificate using the Cluster Management Console or the Cluster REST API v1.
If you want to allow Dynatrace to manage the domain and certificate, use the Cluster Management Console to configure the following settings:
You need your SSL certificate and the key files you received from Certificate Authority (CA):
Server certificate (.cer or .cert)
Root and Intermediate certificates (.cer or .cert)
Private key for certificates (.pem)
We don't support encrypted private keys. To decrypt an SSL private key, run the following command:
openssl rsa -in encrypted.ssl.key -out decrypted.ssl.key
where
encrypted.ssl.key is the filename of your encrypted SSL private key.decrypted.ssl.key is the output file for your decrypted SSL private key.The command will prompt you for the password and save the decrypted key in the decrypted.ssl.key file.
To provide your own domain name and certificate, from the Cluster Management Console, select the cluster node and go to Settings > Public endpoints. Then disable the Enable management of domain name and SSL certificates option.
Then provide your own domain name in the Cluster ActiveGate URL field.
If you want to use your own certificate or a CA-issued certificate, upload or paste the certificate to Cluster ActiveGate, either through the Cluster Management Console or the Cluster REST API v1. The following steps show the procedure using the Cluster Management Console:
Sign in to Dynatrace Managed as an administrator.
On the Deployment status page, expand the ActiveGate you want to customize and select Configure.
On the page for the selected ActiveGate, select Edit SSL certificate.
You can either paste or upload the certificates.
The key and certificates need to be in PEM format with the full BEGIN headers and END footers.
Key header and footer format:
-----BEGIN PRIVATE KEY-----(Private Key)-----END PRIVATE KEY-----
Certificate header and footer format:
-----BEGIN CERTIFICATE-----(SSL Certificate)-----END CERTIFICATE-----
Select Save to upload the certificates.
Your certificate is associated with a specific host name. To avoid a name-mismatch error, make sure that the common name (domain name) in the SSL certificate matches the address you specified in the Cluster ActivGate URL field, in for the cluster node.