There are various settings that you can define to make your AMD deployment more secure.

Set the user name and password to configure authorized HTTP and HTTPS access to the AMD from an external device, such as the report server or RUM Console server.

Managing legacy users

Early 12.4.x AMD releases (12.4.0 through 12.4.10) and legacy AMD releases (12.3.x) utilized setup and kpadmin user accounts for DC RUM related tasks. Since the 12.4.11 release, these users are no longer used, and fresh AMD installations do not create these accounts.

Legacy user accounts

The upgrade process does not remove existing users, however, so the upgraded AMD systems (from versions 12.4.10 and earlier) may still contain setup and kpadmin accounts.

If you have not configured these user accounts for other purposes (unrelated to DC RUM), you can remove these accounts using the userdel command.

[root@amdprobe /]# userdel -r kpadmin

Creating new rtmgate users

The rtmgate is an interface through which the AMD communicates with other Dynatrace components, for example RUM Console, CAS or AppMon server. When adding an AMD to RUM Console, you need to provide the rtmgate user credentials. The default user/password pair is is adlex/vantage, or compuware/vantage. We highly recommend to change it to harden your AMD security.

To set the name and password, create the /var/lib/tomcats/rtmgate/conf/tomcat-users.xml file (if available, you can use the symbolic link: /usr/adlex/config/tomcat/tomcat-users.xml) in the following format:

Earlier releases

For releases 12.4.10 and earlier, use the /usr/adlex/webapps/ROOT/WEB-INF/users.xml file and location.

Make sure you maintain XML syntax.

tomcat-users.xml
<?xml version='1.0' encoding='iso-8859-1'?>
<tomcat-users>
   <role rolename="gate"/>
   <user name="user1" password="9ec62c20118ff506dac139ec30a521d12b9883e55da92b7d9adeefe09ed4e0bd152e2a099339871424263784f" roles="gate"/>
   <user name="user2" password="291116775902b38dd09587ad6235cec503fc14dbf9c09cad761f2e5a5755102eaceb54b95ffd179c22652c391" roles="gate"/>
</tomcat-users>

The user tags contain the name and password attributes that define the username and a SHA-512 hash of the password. Since the only defined role is gate, always set the role attribute to gate.

After the changes are made, use the following commands to restart the AMD:

[root@amdprobe /]# service rtmgate stop
...
[root@amdprobe /]# service rtmgate start

Creating additional users or modifying the existing rtmgate users

  1. Generate a password for the new rtmgate user.

    [root@amdprobe /]# echo -n PasswordYouWantToUse | openssl dgst -sha512
    
  2. Modify the /var/lib/tomcats/rtmgate/conf/tomcat-users.xml file.

    Earlier releases

    For releases 12.4.10 and earlier, use the /usr/adlex/webapps/ROOT/WEB-INF/users.xml file and location.


    The username and password in the tomcat-users.xml file for rtmgate can be anything but the user password is stored as a SHA-512 hash.

  3. Add a new section, or modify the original with the username/password.
    For the password parameter, enter the one generated from the command line with openssl command.

    example entry
    <role rolename="gate" />
    <user password="c86680b1fa907c90dfa86a07e7d03906861608p0jfs976165ad81f9ac6896b9d55adb255cb39596b55" roles="gate" username="somenewuser" />
  4. Save the file.
  5. Restart the AMD service.

    [root@amdprobe /]# service rtmgate stop
    ...
    [root@amdprobe /]# service rtmgate start
  6. In the DC RUM Console, modify the AMD connection settings and test the connection.

    When prompted, allow the DC RUM Console to update the references.
  7. Publish the updated references to all CAS and ADS instances that utilize that AMD.

Replacing the pre-installed and self-signed SSL certificates

To replace the self-signed SSL certificates on the AMD with a certificate signed by a certificate authority:

  1. Copy your certificate file to /var/lib/tomcats/rtmgate/conf/ location and replace the default certificate file.
    Rename your new certificate file to gate_ssl.pem or to gate.crt as necessary.

    Earlier releases

    For releases 12.4.10 and earlier, use the /usr/adlex/config/ location.

    Private key

    If you are NOT using any of the anonymous key agreement protocols (DHE, ECDH, ECDHE), your new certificate file must also contain your private key.

  2. Restart the AMD service.

    [root@amdprobe /]# service rtmgate stop
    ...
    [root@amdprobe /]# service rtmgate start

Additional actions you can perform to improve the security of your AMD installation

    • Filter unwanted traffic.
      By filtering the unwanted traffic on the network adapter level, you can minimize the risk of unsafe packets entering the network adapter's buffers.
    • Remove unnecessary compilers from the Red Hat Enterprise Linux installation.
      While recompilation of drivers used by monitoring NICs may be required if the AMD kernel version differs from the kernel version on which drivers have been compiled (which may occur if the kernel was patched manually or by the automated RHEL system update process), in cases where kernel updates are not planned or will be performed manually, the compiler libraries can be removed.
    • Disable the AMD maintenance port (SSH) and force AMD or Red Hat Enterprise Linux maintenance to be performed directly at the AMD.
    • Configure automatic Linux updates – have Red Hat Enterprise Linux get any recent security patches.
    • Customize Linux.
      As long as your Linux deployment contains the packages required by the AMD, you can use your own customized and secured distribution of Red Hat Enterprise Linux. The RHEL configuration can be changed according to your security needs, including allowing AMD access from specific IP addresses only. The AMD does not open connections to the external world, and its OS can be configured to accept connections only from specific hosts such as the CAS and the DC RUM Console.
    • Install additional firewalls and other security packages on the AMD.
    • Disable or limit unnecessary features.
      While the port numbers can be used for other communication, some of the features and communications are optional and can be disabled or limited. For example, if you do not plan to remotely administer your AMD, you can disable port 22 and manage the AMD configuration via the RUM Console. You can also disable SNMP trap notifications on port 162
      .
    • Remove unnecessary services - file and printer sharing, applications, and network protocols.
    • Maintain the latest operating system version and apply all officially released security patches.
    • Remove any certificate installation files (*.p12 and *.pfx) found on a system. This does not apply to server-based applications that have a requirement for .p12 certificate files (e.g., Oracle Wallet Manager).

  • No labels