Tetra Data Hub Proxy Settings

🚧

IMPORTANT

A non-exploitable security vulnerability affects Tetra Data Hubs if they use a proxy configured with basic authentication settings and were deployed before TDP v4.0.0. A security patch is available, but must be implemented manually. Customers with affected Data Hubs should contact their customer success manager (CSM) for instructions.

Tetra Data Hubs use customizable parent proxy settings. These proxy settings allow Tetra Integrations to securely reach AWS services that they otherwise don't have direct access to (for example, Amazon S3) through a proxy server that you provide.

Configure a Tetra Data Hub's Proxy Settings

The following procedure shows how to configure a Tetra Data Hub's proxy settings.

📘

NOTE

You can also use the following procedure to help troubleshoot Tetra Data Hub proxy connection issues.

Step 1: Configure Environment Variables

Configure the TetraScience shell environment variables by doing the following:

  1. Open the root user’s profile on the dedicated Linux machine that you’re installing the Tetra Data Hub on.
  2. In the root user’s profile, open one of the following files, based on your operating system:
    • For Ubuntu, open the /root/.bashrc file.
    • For RedHat, open the /root/.bash_profile file.
    • For CentOS, open the /root/.bash_profile file.
  3. Add the following lines of code to the file:
export http_proxy=http://hostname:port
export https_proxy=http://hostname:port
export no_proxy=169.254.169.254
  1. (Optional) Add basic authentication settings, if required. To configure basic authentication, add the username and password to the http_proxy and https_proxy lines in the example code in step 3.
  2. Make sure that the settings are applied by doing the following:
    • Restart the Tetra Data Hub host machine.
    • Then, verify that the proxy settings environment variables are configured by invoking the shell command env.
    • In the command response, look for code lines that match the ones you entered in step 3. If the same lines appear, the settings are applied.

📘

NOTE

The Data Hub installer script generates a log file. If the installation was not successful, then the installer provides a short error and path to the log file to review more detailed messages. Please review the log file and verify that the proxy settings were configured properly.

Step 2: Configure SSM Agent Proxy Settings

🚧

IMPORTANT

If you change SSM Agent proxy settings, then the SSM Agent must be restarted before the settings are applied. For instructions, see Checking SSM Agent status and starting the agent in the AWS documentation.

To configure AWS Systems Manager Agent (SSM Agent) proxy settings, see Configuring SSM Agent to use a proxy (Linux) in the AWS documentation.

The SSM Agent’s proxy settings are stored in one of the following files, depending on whether the Linux system uses snap or not:

  • On Ubuntu Server instances where the SSM Agent is installed by using a snap:

/etc/systemd/system/snap.amazon-ssm-agent.amazon-ssm-agent.service.d/override.conf

  • On other instances:

/etc/systemd/system/amazon-ssm-agent.service.d/override.conf

At either path, TetraScience inserts the following lines to configure the Hub’s proxy:

Environment="http_proxy=http://$proxyAuthInfo$httpProxy"
Environment="https_proxy=http://$proxyAuthInfo$httpsProxy"
Environment="no_proxy=169.254.169.254$noProxy"

The hard-coded no_proxy IPs are used locally by AWS services to retrieve instance metadata and credentials. The hard-coded no_proxy IPs must not be removed.

📘

NOTE

If the activation fails, then TetraScience returns to the Data Hub machine and reviews the Amazon SSM client log. The log is stored at: /var/log/amazon/ssm/amazon-ssm-agent.log. TetraScience can execute a command such as tail /var/log/amazon/ssm/amazon-ssm-agent.log and verify that no messages display, such as unable to resolve address https://*.amazonservices.com, or unable to connect to https://*.amazonservices.com. However, if these messages do display, then please check the Amazon SSM client proxy settings once more.

Step 3: Configure Amazon CloudWatch Agent Proxy Settings

🚧

IMPORTANT

If you change Amazon CloudWatch Agent proxy settings, then the agent must be restarted before the settings are applied. For instructions, see Stopping and restarting the CloudWatch agent in the AWS documentation.

To configure Amazon CloudWatch Agent proxy settings, see Installing and running the CloudWatch agent on your servers in the AWS documentation.

The CloudWatch Agent’s proxy settings are stored in the following file: /opt/aws/amazon-cloudwatch-agent/etc/common-config.toml

The file contains the following proxy settings:

[proxy]
http_proxy="$proxyAuthInfo$httpProxy"
https_proxy="$proxyAuthInfo$httpsProxy"

The hard-coded no_proxy IPs are used locally by AWS services to retrieve instance metadata and credentials. The hard-coded no_proxy IPs must not be removed.

Step 4: Apply the New Proxy Settings

To apply the new proxy settings, do the following:

  1. Reboot the Tetra Data Hub's Host server.
  2. Manually sync the Data Hub with the TDP. For instructions, see Manually Sync a Data Hub.

After the host is rebooted and the Tetra Data Hub is synced with the TDP, the Data Hub's Connectors restart automatically with the new parent proxy settings applied.