DX Application Performance Management

Hi all,

Regarding CipherSuites Supported by APM for Web Servers - CA Application Performance Management - 10.3 - CA Technologies Documenta…  , supported CipherSuites are a list, containing i.e.

TLS_DHE_DSS_WITH_AES_256_CBC_SHA

I'm not really sure on how to read this; I don't see any 1024 CipherSuite, so I guess 1024bits encryption is not supported.

I'm trying to reach a site that uses a cert saying:

Version V3

Signature Algorithm sha1RSA

Cignature hash Algorithm sah1

Public Key RSA (1024 bits)

Thumbprint algorithm sha1

as the relevant information for this. I've created the TrustStore, added to AgentConfig.properties and everything looks fine, but connection is rejected due to

[ERROR] [WebServerMonitor] Could not get metrics from server : https://.................. Could be to unsupported protocol or cipherSuite being used

java.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

Is this related to using 32bit jre for the PowerPack (since it only supports 32 bits jvm) ?

Is there a way to access using that ciphersuite?

Regards,

Roger

Hi,

Have you checked this KB?

SSL Endpoint Analysis report for secure 10.1+ EM Web Server shows LOGJAM Vulnerability for DH key length of 1024 bits (n… 

Hi musma03,

Thanks for your answer

I'm not sure we are talking about the same certs.

I'm trying to monitor an IHS web server with WebServers PowerPack 10.1, which certificate is configured as:

Version V3

Signature Algorithm sha1RSA

Cignature hash Algorithm sah1

Public Key RSA (1024 bits)

Thumbprint algorithm sha1

Is this cert supported for checking its server-status url?

I'm not being able to do so.

Regards,

Roger

Hello Roger,

As long as the certificate is valid (certificate chain validates), it should be fine. As for the encryption strength, this is not listed in the APM documentation as there are valid keysize ranges for each individual cipher. You can typically find these in the JVM documentation and many support 1024 keysize. For example, here is Oracle's Java 8 reference: Java Cryptography Architecture Oracle ProvidersDocumentation 

You might want to take a step back though. An SSL handshake negotiates both a protocol and cipher before any certificate validation is done. The following might help you get a better idea where the handshake is failing and you can debug from there:

How to debug SSL connection problems between Enterprise Managers and Agents or Standalone Agents and 3rd party products … 

One immediate thought that comes to mind is that the PowerPack for Webserver version 10.1 only supports SSLv3 and TLS 1.0 and their ciphers. Using APM for Web Servers - CA Application Performance Management - 10.1 - CA Technologies Documentation 

This is not very secure and it is quite possible that IHS server is configured only to accept TLS1.1 or 1.2 ciphers. In this case, please consider using an agent version 10.3 or higher (Using CA APM for Web Servers - CA Application Performance Management - 10.3 - CA Technologies Documentation ) which supports TLS1.1 and 1.2. 

If this does not help, please open a support case with a copy of your Powerpack for WebServers agent and the ssl logging, and Support can review further.

Hi Rogelio, 

Has Tom's response helped you?  Do you have any additional followup questions?

Hi,

I've just tested 10.3 power pack, but still get the same error. I'll try debugging the connection, as Tom suggests,

Thanks!

Regards,

Roger

Thanks Rogelio:for the update. Hopefully the suggestion leads to good results. Please let us know either way or if there are any follow-up questions