Hello,
I've tried testing it first in a lab environment but when I imported the certificate and restarted EM service I got the below error.
Any ideas please ?
9/28/20 03:13:54.456 PM EEST [INFO] [RemoteHttpCallServiceExecutor-12] [Manager.AppMap.RemoteHttp] SSLHandshakeException:
Received fatal alert: handshake_failure9/28/20 03:13:54.456 PM EEST [INFO] [Thread-ClusterTopologyPoller] [Manager.AppMap]
Cannot send EM topology due: 'SSLHandshakeException: Received fatal alert: handshake_failure' Will retry.9/28/20 03:13:54.456 PM EEST [VERBOSE] [RemoteHttpCallServiceExecutor-12]
[Manager.AppMap.RemoteHttp] SSLHandshakeException: Received fatal alert: handshake_failurecom.wily.isengard.messageprimitives.ConnectionException: SSLHandshakeException:
Received fatal alert: handshake_failureat com.wily.introscope.appmap.remotehttp.RemoteHttpCallServiceImpl.makeExceptionSafeForAgent(RemoteHttpCallServiceImpl.java:872)
at com.wily.introscope.appmap.remotehttp.RemoteHttpCallServiceImpl.access$0(RemoteHttpCallServiceImpl.java:867)
at com.wily.introscope.appmap.remotehttp.RemoteHttpCallServiceImpl$RemoteHttpCallServiceProxyImpl$1.run(RemoteHttpCallServiceImpl.java:559)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.Exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:141)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
at com.wily.introscope.appmap.remotehttp.RemoteHttpCallServiceImpl$RemoteHttpCallServiceProxyImpl$1.run(RemoteHttpCallServiceImpl.java:554)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
... 6 more
------------------------------
Infrastructure Software-Systems Engineer
------------------------------
Original Message:
Sent: 09-24-2020 03:01 AM
From: Joerg Mertin
Subject: Securing APM with a certificate signed from external authority
Having a correctly setup network environment will work. If the server recognizes itself as xxx.com.kw, then yes, it will work.
------------------------------
Customer Solution Engineering
Broadcom Inc.
Original Message:
Sent: 09-24-2020 02:55 AM
From: Evangelos Lampropoulos
Subject: Securing APM with a certificate signed from external authority
Hello,
They only said that they cannot issue a SHA2 certificate internally.
They will upgrade their Active Directory server to 2016 but it will not happen soon.
Another question is if we can achieve the desired result by adding a new entry in DNS that will point to the server's IP.
Kind regards,
Vaggelis
------------------------------
Infrastructure Software-Systems Engineer
Original Message:
Sent: 09-24-2020 01:44 AM
From: Haruhiko Davis
Subject: Securing APM with a certificate signed from external authority
Windows 2008 R2 supports SHA2: https://support.microsoft.com/en-us/help/4039648/update-to-add-sha2-code-signing-support-for-windows-server-2008-sp2
Are they saying that cannot upgrade their MSAD forest?
------------------------------
Solution Engineering
Broadcom
Original Message:
Sent: 09-22-2020 06:40 AM
From: Evangelos Lampropoulos
Subject: Securing APM with a certificate signed from external authority
Hello all,
I have a question regarding securing APM.
We were using self-signed certificate for securing APM in our customer (the one that comes along with APM installation) but we were asked to use a valid and trusted certificate when we moved to production.
The certificate which was provided by our customer is SHA1 type (algorithm) and when we imported it in the production environment it didn't work.
We have opened a support case then and Broadcom Support team informed us that SHA1 is not an appropriate type of certificate and that we should issue and use at least SHA2.
We went back to our customer who informed us that they cannot issue it internally due to restrictions of the version of Active Directory they use (it is 2008).
This means that they have to address this issue to a CA but this way the certificate will be propagated for the public domain of the company and not the local one.
Currently the APM EM server and also APM DB server are both in local domain --> xxx.local
However the SHA2 certificate will be issued on xxx.com.kw domain.
We are trying to understand what will be the impact of such an action and what would be the configuration steps we should follow to keep the existing production environment working as it is now.
Can you please help me with this tricky problem ?
Kind regards,
Vaggelis
------------------------------
Infrastructure Software-Systems Engineer
------------------------------