DX Application Performance Management

Expand all | Collapse all

TIM and HTTPS - Getting Cert Errors and No data

Jump to Best Answer
  • 1.  TIM and HTTPS - Getting Cert Errors and No data

    Posted 05-20-2013 04:22 AM
    Hi all,

    APM 9.1.1 CEM only installation. Standalone TIM

    My new app I need to monitor in a UAT test environment is all https based. I requested a private key certificate for the web server involved and have now implemented that .pem cert I was given via the CEM console.

    Testers have performed actions and I get no data in via the TIM. I see the traffic on the monitored Eth1 interface increase as the testers key stuff in and the TIMs own stats back that up. Still no data coming in, the TIM logs are pretty much empty and and a very open transaction discovery gets absolutely nothing.

    However I do see TIM SSL Server stats showing errors:- Total Connections 226, Connections with decode failures 226.
    So this seems to tell me that my private key file I've been given and installed isn't working - correct?

    Could this be a number of things? Wrong web/app server IP address used? Wrong .pem file format? Incorrect or failed to input password/passphrase for the cert?

    Or am I on the wrong track and could this still be an incorrectly setup or configured TIM/SPAN port?

    Thanks in advance for your thoughts,

    Bob.
    Fujitsu UK.


  • 2.  RE: TIM and HTTPS - Getting Cert Errors and No data
    Best Answer

    Posted 05-20-2013 12:06 PM
    Hi Bob,
    The fact that it is indicating 100% decode failures most likely its wrong server key /unsupported cipher suite. We dont support traffic encrypted using diffie-hellman.
    Two things you can do is
    1. Run modulus on the actual server certificate (by logging to the webserver box) and compare it to the ouput of the modulus on the CEM PEM certificate to confirm if it matches. If they dont then most likely you have a wrong server key converted to PEM

    For example:-
    Run the open ssl on the server certificate using the command
    C:\tmp>c:\cygwin\bin\openssl x509 -noout -modulus -in <server.crt>

    Modulus=F2A583ECF07FED008EB5A29FE5A02A82C14B4B39A00A6027C350074DAB7C97580F7D
    ACCB

    F00CD0573D7874B4080B23BA1D2246A2A2D063D287B283DE8D273CC05979EA759102A1713EE7
    8F14

    192F4BDB06652E9379192DAF41F2C48A862C88E9FE8E844C9D92FE5AD1E48096C6D7A56401BF
    D2D1

    FE517242E71100E053E9169BD94815DED9CB3DC8F3526903EB4A9C955BF1236CCB7F6958E9A6
    B641

    BF2BE6543D1DB96DCD5CC725EBDE2A12CDC02AEA78FC855AB75DECE8808CB6540752033BCF72
    64C6

    531700A0238F77F4A87512BB92AA5A3A7C75C21BDDEC1DBA511860C2C4A8F875B30768238676
    62B4
    9FDB6D72E78C1D732800C29A53A2A09558EDF199

    Run the open ssl on the certificate uploaded to the UI

    C:\tmp>c:\cygwin\bin\openssl x509 -noout -modulus -in <cem PEM crt>

    Modulus=B621595645165751B7A8E4A40797029B4F1234B22B4FB932E66EAAC9495B28BA4E0C
    B4CF

    05B531BC9A4AD6495DF5DA2A47F7526BF747395432C32CA92A58A73067CEBA25417C5F54A4C2
    0097

    C77B2BEBB1AA0F8694DA9E0CDD2FA246BB65EA8A80FD10DC901017C7B3B17B1BD302EC1DE9A7
    23F2
    E1BAB541688859D092467342670BDEB9F02A703743076DA6159CDE52C712DB66EDBF968AEB62
    A3E5

    472D5286DA26ED018091E6AA77AE97740797B5366EB55898C90E2DC60D6962D815DEA678AF43
    E629

    2D1374C9C96DCEE23B722A01BFB1E651B150A79A681FCB0943602FD39B60B19E7100F31813C0
    F4F6
    C1C013D4E509D4B1EDE2D0FE29A2919908E7FC4B

    If there is a mismatch as indicated above its wrong KEY

    2. Dump on the cipher traffic used by the application and see if it use DHE cipher

    You can use
    http://www.serversniff.net/sslcheck.php to check the default cipher

    3, Enable the SSL Errors/connections from the TIM trace options in the TIM set up page, check for any SSL errors in the TIM logs


    Regards
    Vijay


  • 3.  RE: TIM and HTTPS - Getting Cert Errors and No data

    Posted 05-20-2013 12:42 PM
    Thanks very much Vijay.

    My contact is working on generating a new .pem key file from a load balancer as soon as he can. This is where the HTTPS/SSL for my application terminates. The key type is SHA1.
    I wish I had more involvement but the network/infrastructure parts of my project are run by another team who we have to rely on.

    We can consider the modulus check if the new key file doesn't do the trick.
    My log file is set to pick up SSL errors, but I haven't seen any.

    Regards,

    Bob.


  • 4.  RE: TIM and HTTPS - Getting Cert Errors and No data

    Posted 05-20-2013 01:59 PM
    Hi Bob
    Sure please keep us posted

    Regards
    Vijay


  • 5.  RE: TIM and HTTPS - Getting Cert Errors and No data

    Posted 05-22-2013 04:08 AM
    OK - the new certificate was generated and passed to me.
    It was checked with modulus and matched.

    It was loaded and still I get the same connection decode errors.

    Now - when I've asked more about the private key file and it's association to my specific SSL termination point on the load balancer, I have been told:-
    "The certificate we are using in our test environment uses a wildcard, so the IP address it is against should not matter."

    So - new question - How will the TIM react to a private key that has been generated with a wildcard (*) ?

    Is that valid within the APM configuration (it is OK on the load balancer, we are told)?
    If so, would I enter the IP address of my load balancer in the CEM Server HTTPS screen or should I use the wildcard there too?

    Regards,

    Bob.
    Fujitsu UK


  • 6.  RE: TIM and HTTPS - Getting Cert Errors and No data

    Posted 05-22-2013 04:32 AM
    I should have clarified the wildcard on the cert isn't just *.
    It is *.domain.local

    So my actual web servers such as portal.domain.local and ebusiness.domain.local and sso.domain.local are all meant to be covered by the single private key.
    My network contact says that this is the way that it has been designed and implemented on our load balancers, so will have to stay that way.

    Regards,

    Bob.
    Fujitsu UK