DX Application Performance Management

Expand all | Collapse all

TIM and HTTPS - Getting Cert Errors and No data

Jump to Best Answer
  • 1.  TIM and HTTPS - Getting Cert Errors and No data

    Posted 05-20-2013 04:22 AM
    Hi all,

    APM 9.1.1 CEM only installation. Standalone TIM

    My new app I need to monitor in a UAT test environment is all https based. I requested a private key certificate for the web server involved and have now implemented that .pem cert I was given via the CEM console.

    Testers have performed actions and I get no data in via the TIM. I see the traffic on the monitored Eth1 interface increase as the testers key stuff in and the TIMs own stats back that up. Still no data coming in, the TIM logs are pretty much empty and and a very open transaction discovery gets absolutely nothing.

    However I do see TIM SSL Server stats showing errors:- Total Connections 226, Connections with decode failures 226.
    So this seems to tell me that my private key file I've been given and installed isn't working - correct?

    Could this be a number of things? Wrong web/app server IP address used? Wrong .pem file format? Incorrect or failed to input password/passphrase for the cert?

    Or am I on the wrong track and could this still be an incorrectly setup or configured TIM/SPAN port?

    Thanks in advance for your thoughts,

    Fujitsu UK.

  • 2.  RE: TIM and HTTPS - Getting Cert Errors and No data
    Best Answer

    Posted 05-20-2013 12:06 PM
    Hi Bob,
    The fact that it is indicating 100% decode failures most likely its wrong server key /unsupported cipher suite. We dont support traffic encrypted using diffie-hellman.
    Two things you can do is
    1. Run modulus on the actual server certificate (by logging to the webserver box) and compare it to the ouput of the modulus on the CEM PEM certificate to confirm if it matches. If they dont then most likely you have a wrong server key converted to PEM

    For example:-
    Run the open ssl on the server certificate using the command
    C:\tmp>c:\cygwin\bin\openssl x509 -noout -modulus -in <server.crt>







    Run the open ssl on the certificate uploaded to the UI

    C:\tmp>c:\cygwin\bin\openssl x509 -noout -modulus -in <cem PEM crt>






    If there is a mismatch as indicated above its wrong KEY

    2. Dump on the cipher traffic used by the application and see if it use DHE cipher

    You can use
    http://www.serversniff.net/sslcheck.php to check the default cipher

    3, Enable the SSL Errors/connections from the TIM trace options in the TIM set up page, check for any SSL errors in the TIM logs


  • 3.  RE: TIM and HTTPS - Getting Cert Errors and No data

    Posted 05-20-2013 12:42 PM
    Thanks very much Vijay.

    My contact is working on generating a new .pem key file from a load balancer as soon as he can. This is where the HTTPS/SSL for my application terminates. The key type is SHA1.
    I wish I had more involvement but the network/infrastructure parts of my project are run by another team who we have to rely on.

    We can consider the modulus check if the new key file doesn't do the trick.
    My log file is set to pick up SSL errors, but I haven't seen any.



  • 4.  RE: TIM and HTTPS - Getting Cert Errors and No data

    Posted 05-20-2013 01:59 PM
    Hi Bob
    Sure please keep us posted


  • 5.  RE: TIM and HTTPS - Getting Cert Errors and No data

    Posted 05-22-2013 04:08 AM
    OK - the new certificate was generated and passed to me.
    It was checked with modulus and matched.

    It was loaded and still I get the same connection decode errors.

    Now - when I've asked more about the private key file and it's association to my specific SSL termination point on the load balancer, I have been told:-
    "The certificate we are using in our test environment uses a wildcard, so the IP address it is against should not matter."

    So - new question - How will the TIM react to a private key that has been generated with a wildcard (*) ?

    Is that valid within the APM configuration (it is OK on the load balancer, we are told)?
    If so, would I enter the IP address of my load balancer in the CEM Server HTTPS screen or should I use the wildcard there too?


    Fujitsu UK

  • 6.  RE: TIM and HTTPS - Getting Cert Errors and No data

    Posted 05-22-2013 04:32 AM
    I should have clarified the wildcard on the cert isn't just *.
    It is *.domain.local

    So my actual web servers such as portal.domain.local and ebusiness.domain.local and sso.domain.local are all meant to be covered by the single private key.
    My network contact says that this is the way that it has been designed and implemented on our load balancers, so will have to stay that way.


    Fujitsu UK