DX Application Performance Management

 View Only
Expand all | Collapse all

Securing APM with a certificate signed from external authority

  • 1.  Securing APM with a certificate signed from external authority

    Posted Sep 22, 2020 06:41 AM
    Hello all,
    I have a question regarding securing APM.
    We were using self-signed certificate for securing APM in our customer (the one that comes along with APM installation) but we were asked to use a valid and trusted certificate when we moved to production.
    The certificate which was provided by our customer is SHA1 type (algorithm) and when we imported it in the production environment it didn't work.
    We have opened a support case then and Broadcom Support team informed us that SHA1 is not an appropriate type of certificate and that we should issue and use at least SHA2.
    We went back to our customer who informed us that they cannot issue it internally due to restrictions of the version of Active Directory they use (it is 2008).
    This means that they have to address this issue to a CA but this way the certificate will be propagated for the public domain of the company and not the local one.
    Currently the APM EM server and also APM DB server are both in local domain --> xxx.local
    However the SHA2 certificate will be issued on xxx.com.kw domain.
    We are trying to understand what will be the impact of such an action and what would be the configuration steps we should follow to keep the existing production environment working as it is now.
    Can you please help me with this tricky problem ?
    Kind regards,
    Vaggelis

    ------------------------------
    Infrastructure Software-Systems Engineer
    ------------------------------


  • 2.  RE: Securing APM with a certificate signed from external authority

    Broadcom Employee
    Posted Sep 23, 2020 03:01 AM
    Hi Vaggelis,
    as with all certificates, the clients contacting the server check the certificate provided by the server-site against the FQDN (full qualified domain name). In case it does not match (as it will in you case - xxx.local vs. xxx.com.kw), the validation mechanism will return a fail.

    An alternative would be to create self-signed certificated and provide the entire certificate chain to the server/client side and register it to the system (I did so on private systems before letsencrypt times). But it was always a try and error to make it run right.

    ------------------------------
    Customer Solution Engineering
    Broadcom Inc.
    ------------------------------



  • 3.  RE: Securing APM with a certificate signed from external authority

    Broadcom Employee
    Posted Sep 24, 2020 01:44 AM
    Windows 2008 R2 supports SHA2: https://support.microsoft.com/en-us/help/4039648/update-to-add-sha2-code-signing-support-for-windows-server-2008-sp2

    Are they saying that cannot upgrade their MSAD forest?

    ------------------------------
    Solution Engineering
    Broadcom
    ------------------------------



  • 4.  RE: Securing APM with a certificate signed from external authority

    Posted Sep 24, 2020 02:55 AM
    Hello,
    They only said that they cannot issue a SHA2 certificate internally.
    They will upgrade their Active Directory server to 2016 but it will not happen soon.
    Another question is if we can achieve the desired result by adding a new entry in DNS that will point to the server's IP.
    Kind regards,
    Vaggelis

    ------------------------------
    Infrastructure Software-Systems Engineer
    ------------------------------



  • 5.  RE: Securing APM with a certificate signed from external authority

    Broadcom Employee
    Posted Sep 24, 2020 03:01 AM
    Having a correctly setup network environment will work. If the server recognizes itself as xxx.com.kw, then yes, it will work.

    ------------------------------
    Customer Solution Engineering
    Broadcom Inc.
    ------------------------------



  • 6.  RE: Securing APM with a certificate signed from external authority

    Posted Sep 28, 2020 08:16 AM
    Hello, 
    I've tried testing it first in a lab environment but when I imported the certificate and restarted EM service I got the below error.
    Any ideas please ?

    9/28/20 03:13:54.456 PM EEST [INFO] [RemoteHttpCallServiceExecutor-12] [Manager.AppMap.RemoteHttp] SSLHandshakeException: Received fatal alert: handshake_failure
    9/28/20 03:13:54.456 PM EEST [INFO] [Thread-ClusterTopologyPoller] [Manager.AppMap] Cannot send EM topology due: 'SSLHandshakeException: Received fatal alert: handshake_failure' Will retry.
    9/28/20 03:13:54.456 PM EEST [VERBOSE] [RemoteHttpCallServiceExecutor-12] [Manager.AppMap.RemoteHttp] SSLHandshakeException: Received fatal alert: handshake_failure
    com.wily.isengard.messageprimitives.ConnectionException: SSLHandshakeException: Received fatal alert: handshake_failure
    at com.wily.introscope.appmap.remotehttp.RemoteHttpCallServiceImpl.makeExceptionSafeForAgent(RemoteHttpCallServiceImpl.java:872)
    at com.wily.introscope.appmap.remotehttp.RemoteHttpCallServiceImpl.access$0(RemoteHttpCallServiceImpl.java:867)
    at com.wily.introscope.appmap.remotehttp.RemoteHttpCallServiceImpl$RemoteHttpCallServiceProxyImpl$1.run(RemoteHttpCallServiceImpl.java:559)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)
    Caused by: java.lang.Exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
    at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
    at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:141)
    at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
    at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
    at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
    at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
    at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
    at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
    at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
    at com.wily.introscope.appmap.remotehttp.RemoteHttpCallServiceImpl$RemoteHttpCallServiceProxyImpl$1.run(RemoteHttpCallServiceImpl.java:554)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)

    ... 6 more

    ------------------------------
    Infrastructure Software-Systems Engineer
    ------------------------------



  • 7.  RE: Securing APM with a certificate signed from external authority

    Posted Sep 28, 2020 08:17 AM
    Let me also add that if I keep the self-signed certificate which comes with APM (alias=caapm) it works.

    ------------------------------
    Infrastructure Software-Systems Engineer
    ------------------------------



  • 8.  RE: Securing APM with a certificate signed from external authority

    Broadcom Employee
    Posted Sep 29, 2020 02:31 PM
    When you enabled HTTPS on ATC/WV, did you also enable it in IntroscopeWebView.properties?

    ------------------------------
    Solution Engineering
    Broadcom
    ------------------------------



  • 9.  RE: Securing APM with a certificate signed from external authority

    Posted Sep 30, 2020 02:57 AM
    Yes I have also enabled it in IntroscopeWebView.properties.
    As a matter of fact the changes for WebView are displayed below:

    In <EM-Home>/config/IntroscopeWebView.properties
    a.
    I have modified the below lines:
    introscope.webview.enterprisemanager.tcp.port=8081
    introscope.webview.enterprisemanager.webserver.tcp.port=8080
    introscope.webview.enterprisemanager.rest.base=http://<EM_HOSTNAME>:8081/apm/appmap
    to:
    introscope.webview.enterprisemanager.tcp.port=8444
    introscope.webview.enterprisemanager.webserver.tcp.port=8443
    introscope.webview.enterprisemanager.rest.base=https://<EM_HOSTNAME>:8444/apm/appmap
    b.
    I have also uncommented the below line:
    #introscope.webview.jetty.configurationFile=webview-jetty-config.xml

    In <EM-Home>/config/webview-jetty-config.xml I have modified the below line:
    <Set name="certAlias">caapm</Set>
    to:
    <Set name="certAlias"><myalias></Set>

    Let me also add that EM and WV are running on the same server. No other customization has been done for WebView.

    Kind regards,
    Vaggelis

    ------------------------------
    Infrastructure Software-Systems Engineer
    ------------------------------



  • 10.  RE: Securing APM with a certificate signed from external authority

    Broadcom Employee
    Posted Oct 08, 2020 11:17 AM
    Hi,
    Have you looked at these KBs?

    1. Enabling APM HTTPS Communications using a Non-default Keystore or Certificate.
    https://knowledge.broadcom.com/external/article?articleId=14934#/

    2. WebServer SSL Certificate Installation
    https://knowledge.broadcom.com/external/article?articleId=145558#/

    Thanks,
    Yanna