Data Center Real User Monitoring SSL Monitoring Administration
Transcription
Data Center Real User Monitoring SSL Monitoring Administration
Data Center Real User Monitoring SSL Monitoring Administration Guide Release 12.3 Please direct questions about Data Center Real User Monitoring or comments on this document to: Customer Support https://community.compuwareapm.com/community/display/SUPPORT Copyright © 2014 Compuware Corporation. All rights reserved. Unpublished rights reserved under the Copyright Laws of the United States. U.S. GOVERNMENT RIGHTS-Use, duplication, or disclosure by the U.S. Government is subject to restrictions as set forth in Compuware Corporation license agreement and as provided in DFARS 227.7202-1(a) and 227.7202-3(a) (1995), DFARS 252.227-7013(c)(1)(ii) (OCT 1988), FAR 12.212(a) (1995), FAR 52.227-19, or FAR 52.227-14 (ALT III), as applicable. Compuware Corporation. This product contains confidential information and trade secrets of Compuware Corporation. Disclosure is prohibited without the prior express written permission of Compuware Corporation. Use of this product is subject to the terms and conditions of the user's License Agreement with Compuware Corporation. Documentation may only be reproduced by Licensee for internal use. The content of this document may not be altered, modified or changed without the express written consent of Compuware Corporation. Compuware Corporation may change the content specified herein at any time, with or without notice. All current Compuware Corporation product documentation can be found at https://community.compuwareapm.com/community/display/APMDOC. Compuware, FrontLine, Network Monitoring, Enterprise Synthetic, Server Monitoring, Dynatrace Network Analyzer, Dynatrace, VantageView, Dynatrace, Real-User Monitoring – First Mile, and Dynatrace Performance Network are trademarks or registered trademarks of Compuware Corporation. Cisco is a trademark or registered trademark of Cisco Systems, Inc. Internet Explorer, Outlook, SQL Server, Windows, Windows Server, and Windows Vista are trademarks or registered trademarks of Microsoft Corporation. Firefox is a trademark or registered trademark of Mozilla Foundation. Red Hat and Red Hat Enterprise Linux are trademarks or registered trademarks of Red Hat, Inc. J2EE, Java, and JRE are trademarks or registered trademarks of Oracle Corporation. VMware is a trademark or registered trademark of VMware, Inc. SAP and SAP R/3 are trademarks or registered trademarks of SAP AG. Adobe® Reader® is a registered trademark of Adobe Systems Incorporated in the United States and/or other countries. All other company and product names are trademarks or registered trademarks of their respective owners. Local Build: December 9, 2014, 4:45 Contents Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Who Should Read This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Related Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Organization of This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Customer Support Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Reporting a Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 5 5 5 6 6 6 Chapter 1 ∙ Process Overview of SSL Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Chapter 2 ∙ Configuring SSL Monitoring on the AMD . . . . . . . . . . . . . . . . . . . . . . Configuring and Using RSA Private Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Management of RSA Private Keys on AMD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using a List File to Specify RSA Private Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . SSL Hardware Accelerator Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Selecting and Configuring SSL Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing and Configuring NITROX XL FIPS Acceleration Board . . . . . . . . . . . . . Supported NITROX XL FIPS Acceleration Board Security Levels . . . . . . . . . . . Invoking Acceleration Board Management Utility . . . . . . . . . . . . . . . . . . . . . . . Initializing the NITROX XL FIPS Acceleration Board . . . . . . . . . . . . . . . . . . . . Logging In and Out of the NITROX XL FIPS Acceleration Board . . . . . . . . . . . RSA Key Management on NITROX XL FIPS . . . . . . . . . . . . . . . . . . . . . . . . . . RoHS Directive Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing and Configuring an nCipher SSL Card on a 32-bit AMD . . . . . . . . . . . . . Installing and Configuring an nCipher SSL Card on a 64-bit AMD . . . . . . . . . . . . . Removing nCipher Security World . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing and Configuring Sun Crypto Accelerator 6000 PCIe Card . . . . . . . . . . . . Initializing the Sun Crypto Accelerator 6000 PCIe Card . . . . . . . . . . . . . . . . . . . Sun Crypto Accelerator 6000 PCIe Card - Key and Card Management . . . . . . . . . Additional Configuration Settings and Administration for Sun Crypto Accelerator 6000 PCIe Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Reference Information for Sun Crypto Accelerator 6000 PCIe Card . . . . . . . . . . . Sun Crypto Accelerator 6000 PCIe Card Known Issues . . . . . . . . . . . . . . . . . . . . 11 11 12 14 18 18 20 20 20 21 24 24 26 26 31 36 36 37 39 Data Center Real User Monitoring SSL Monitoring Administration Guide 42 43 43 3 Contents 4 Using KPA to Make Keys Available to the AMD Process . . . . . . . . . . . . . . . . . . . . . . Migrating from OpenSSL to Using SSL Hardware Accelerator . . . . . . . . . . . . . . . . . . Monitoring SSL-encoded Traffic without Decryption . . . . . . . . . . . . . . . . . . . . . . . . . Using AMD with nShield Connect HSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setting Up nShield Connect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Connecting AMD to Existing nShield Connect . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 45 46 46 47 47 Chapter 3 ∙ Server-Based SSL Monitoring Configuration . . . . . . . . . . . . . . . . . . . Defining SSL Error Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing SSL Alert Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 49 50 Chapter 4 ∙ Tuning Configuration and Troubleshooting Problems . . . . . . . . . . . . . Verification of Traffic Monitoring Quality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SSL Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Troubleshooting SSL Monitoring Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Guided Configuration Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 55 56 57 62 Appendix A ∙ SSL-Related rcon Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SSLDECR CERTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SSLDECR HELP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SSLDECR LOGLEVEL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SSLDECR NAMES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SHOW SSLDECR CERTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SHOW SSLDECR CIPHERS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SHOW SSLDECR HELP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SHOW SSLDECR KEYS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SHOW SSLDECR LOGLEVEL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SHOW SSLDECR NAMES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SHOW SSLDECR SERVERS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SHOW SSLDECR STATUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 67 68 69 70 70 71 72 73 74 74 75 76 Appendix B ∙ Extracting Web Server Private SSL Keys . . . . . . . . . . . . . . . . . . . . . Extracting Web Server Private RSA Keys for Apache/OpenSSL Server . . . . . . . . . . . . Extracting Web Server Private RSA Keys for Microsoft IIS 4.0 Server . . . . . . . . . . . . Extracting Web Server Private RSA Keys for Microsoft IIS 5.0 Server . . . . . . . . . . . . Extracting Web Server Private RSA Keys for Netscape (Old Format) . . . . . . . . . . . . . Extracting Web Server Private RSA Keys for Netscape (New Format) . . . . . . . . . . . . . Extracting Web Server Private RSA Keys for Zeus . . . . . . . . . . . . . . . . . . . . . . . . . . . Extracting SSL Private Keys from an iPlanet Web Server . . . . . . . . . . . . . . . . . . . . . . 79 79 80 81 82 84 85 85 Appendix C ∙ SSL Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SSL Software Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SSL Hardware Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 87 90 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Data Center Real User Monitoring SSL Monitoring Administration Guide INTRODUCTION Who Should Read This Guide This book is intended for users of Data Center Real User Monitoring who want to configure, diagnose, and troubleshoot the monitoring of SSL traffic. Related Publications Documentation for your product is distributed on the product media. For Data Center RUM, it is located in the \Documentation directory. It can also be accessed from the Media Browser. Go online (https://community.compuwareapm.com/) for fast access to information about your Dynatrace products. You can download documentation and FAQs as well as browse, ask questions and get answers on user forums (requires subscription). The first time you access FrontLine, you are required to register and obtain a password. Registration is free. PDF files can be viewed with Adobe Reader version 7 or later. If you do not have the Reader application installed, you can download the setup file from the Adobe Web site at http://www.adobe.com/downloads/. Organization of This Guide This guide is organized as follows: • Process Overview of SSL Monitoring [p. 9] contains an overview of issues and considerations on monitoring of secure traffic based on SSL (Secure Socket Layer). • Configuring SSL Monitoring on the AMD [p. 11] contains information about preparing private RSA keys, installing and configuring hardware accelerator cards, using OpenSSL, and migrating from OpenSSL to hardware SSL acceleration. It also includes information on monitoring SSL traffic without decryption. • Server-Based SSL Monitoring Configuration [p. 49] explains changing the SSL monitoring related properties that affect DC RUM reports. • Tuning Configuration and Troubleshooting Problems [p. 55] addresses various configuration issues often encountered in SSL monitoring. Data Center Real User Monitoring SSL Monitoring Administration Guide 5 Introduction • SSL-Related rcon Commands [p. 67] is a collection of rcon commands related to SSL monitoring. • Extracting Web Server Private SSL Keys [p. 79] explains in detail how to extract private SSL keys from different web servers. • SSL Support [p. 87] provides reference information about hardware and software SSL support in DC RUM. Customer Support Information Dynatrace Community For product information, go to https://community.compuwareapm.com/ and click Support. You can review frequently asked questions, access the training resources in the APM University, and post a question or comment to the product forums. You must register and log in to access the Community. Corporate Website To access the corporate website, go to http://www.dynatrace.com. The Dynatrace site provides a variety of product and support information. Reporting a Problem Use these guidelines when contacting APM Customer Support. When submitting a problem, log on to the Dynatrace Support Portal at https://support.compuwareapm.com/, click the Open Ticket button and select Data Center Real User Monitoring from the Product list. Refer to the DC RUM FAQ article at https://community.compuwareapm.com/community/display/DL/DCRUM+Data+Collection+Guide to learn know how to provide accurate diagnostics data for your DC RUM components. Most of the required data can be retrieved using RUM Console. Documentation Conventions The following font conventions are used throughout documentation: 6 This font Indicates Bold Terms, commands, and references to names of screen controls and user interface elements. Citation Emphasized text, inline citations, titles of external books or articles. Documentation Conventions [p. 6] Links to Internet resources and linked references to titles in documentation. Fixed width Cited contents of text files, inline examples of code, command line inputs or system outputs. Also file and path names. Data Center Real User Monitoring SSL Monitoring Administration Guide Introduction This font Indicates Fixed width bold User input in console commands. Fixed width italic Place holders for values of strings, for example as in the command: cd directory_name Menu ➤ Item Menu items. Text screen shots. Screen Code block Blocks of code or fragments of text files. Data Center Real User Monitoring SSL Monitoring Administration Guide 7 Introduction 8 Data Center Real User Monitoring SSL Monitoring Administration Guide CHAPTER 1 Process Overview of SSL Monitoring Monitoring of secure traffic requires more attention and preparation than monitoring of non-secure protocols. In addition, if the AMD is to decrypt SSL traffic, it needs third-party components, such as hardware or software SSL accelerators, preconfigured to seamlessly work with Data Center Real User Monitoring. Before You Begin Before you start configuration process: • You should be familiar with DC RUM components and basic monitoring concepts. Refer to the Data Center Real User Monitoring Getting Started. • You need to identify your monitoring goals. For more information, see Define and Prioritize Goals, Objectives, and Requirements in the Data Center Real User Monitoring Getting Started. • You need to install the following DC RUM components: ◦ The latest version of AMD Refer to the Data Center Real User Monitoring Agentless Monitoring Device Installation Guide. ◦ The latest version of RUM Console Refer to the Data Center Real User Monitoring RUM Console Installation Guide. ◦ The latest version of CAS Refer to the Data Center Real User Monitoring Central Analysis Server Installation Guide. ◦ Optionally: The latest version of ADS Refer to the Data Center Real User Monitoring Advanced Diagnostics Server Installation Guide. • Make sure you have prepared your RSA keys and documentation on your SSL accelerator. Data Center Real User Monitoring SSL Monitoring Administration Guide 9 Chapter 1 ∙ Process Overview of SSL Monitoring The process of configuration of SSL monitoring with decryption consists of the following tasks. Note that you may want to monitor SSL traffic without decryption. For more information, see Monitoring SSL-encoded Traffic without Decryption [p. 46]. SSL-Related Configuration 1. Prepare the RSA private keys for servers that are to be monitored. Apply the private keys in PEM format to the AMD in order to decrypt secure sessions. For more information, see Configuring and Using RSA Private Keys [p. 11] and Extracting Web Server Private SSL Keys [p. 79]. 2. Select the mode of RSA key management on the AMD. For more information, see Management of RSA Private Keys on AMD [p. 12]. 3. Install and configure a hardware SSL accelerator, if a hardware accelerator is to be used. In most deployments, hardware SSL accelerators are used because of performance reasons. However, there is an option to use a software alternative, OpenSSL. Depending on your SSL acceleration approach, refer to the topic appropriate for your hardware accelerator or use OpenSSL, the default cost-free SSL acceleration mode on the AMD. 4. Optional: Migrate from OpenSSL to an SSL hardware accelerator. While OpenSSL is a cost-free solution to SSL decryption, it may not be sufficient in terms of performance. When your secure traffic stream overwhelms the AMD's software capabilities, consider deploying hardware SSL accelerators. For more information, see Migrating from OpenSSL to Using SSL Hardware Accelerator [p. 45]. Monitoring Configuration 5. Set up software service monitoring Monitoring SSL traffic requires that you select an appropriate analyzer while defining a software service. For example, if you want to monitor an HTTPS (secure HTTP) software service, and you comply with the previous configuration steps, select the “SSL Decrypted” analyzer for such a service. Apart from selecting the analyzer for your software service, you can also configure more advanced features of HTTP analysis, such as user recognition, URL parameter parsing, and so on. Refer to the Data Center Real User Monitoring Web Application Monitoring User Guide. HTTPS, while the most dominant protocol, when considering SSL monitoring, is not the only protocol that can be encrypted with SSL. For more information, see Protocols Supported by CAS in the Data Center Real User Monitoring Administration Guide and Protocols Supported by ADS in the Data Center Real User Monitoring Administration Guide. What to Do Next In case of issues observed during monitoring of SSL traffic, consult the SSL-related FAQ to diagnose your problems before you contact Customer Support. For more information, see Troubleshooting SSL Monitoring Issues [p. 57] and SSL-Related rcon Commands [p. 67]. 10 Data Center Real User Monitoring SSL Monitoring Administration Guide CHAPTER 2 Configuring SSL Monitoring on the AMD Configuring SSL monitoring with decryption requires you to extract and apply the RSA private keys and install and configure the SSL hardware accelerator cards. Configuring and Using RSA Private Keys To process SSL decryption, an AMD needs to use RSA private keys for each monitored server. The keys need to be extracted from the monitored servers and can then be used either as PEM files or be stored on the accelerator card. Key extraction is described in Extracting Web Server Private SSL Keys [p. 79]. NOTE • In the case of keys generated with OpenSSL, the keys are already in PEM format. If keys come from a Microsoft IIS or Netscape Web server, they are usually stored in hardware accelerators and must be exported to PEM format. • A key can be encrypted with a password. For more information, see Using KPA to Make Keys Available to the AMD Process [p. 45]. SSL decryption can be performed either in the AMD software using OpenSSL or in a hardware SSL accelerator. • If SSL decryption is performed in the AMD software, the AMD reads RSA private keys from PEM-encoded disk files during startup. • If SSL decryption is performed in a hardware SSL accelerator, the keys may need to be stored in the accelerator card first: after extracting the keys from their servers as PEM-encoded disk files and writing them to the accelerator, the PEM files should be deleted for security reasons. The commands used for managing—listing, organizing, and storing—keys on an accelerator card are specific to the card and are described in topics dedicated to individual cards: Installing and Configuring NITROX XL FIPS Acceleration Board [p. 20], Installing and Configuring an nCipher SSL Card on a 32-bit AMD [p. 26] Installing and Configuring an nCipher SSL Card on a 64-bit AMD [p. 31] Data Center Real User Monitoring SSL Monitoring Administration Guide 11 Chapter 2 ∙ Configuring SSL Monitoring on the AMD Installing and Configuring Sun Crypto Accelerator 6000 PCIe Card [p. 36] Management of RSA Private Keys on AMD The AMD supports two mutually exclusive modes of using RSA private keys. • A list of the private keys that are to be used for encryption can be contained in a text file on the AMD, with each entry containing a reference to a PEM-encoded file or a key stored on the accelerator card. • The AMD can extract all keys from the accelerator card and use those for a pool of available keys. These two mutually exclusive modes of operation are governed by the following configuration properties in the rtm.config configuration file: server.key.dir The directory in which to store PEM-encoded key files (by default, this is /usr/adlex/config/keys). server.key.list The file in the above directory that describes what keys are to be used for the monitored servers. The default name of the file is keylist. Note that the file lists keys to be used, but does not provide a mapping of servers to keys. This is because the AMD is able to match keys to SSL sessions automatically. The advantage of this approach (of not mapping a specific IP address of the server to the private key) is that servers residing behind load balancers can also be monitored, even though the same IP address is then apparently using a number of different SSL private keys. ssl.import.all.keys.from.token Mode selector: • Setting this configuration property to true overrides the settings specified in server.key.list and makes the AMD read the keys from the accelerator card. This is supported only for ssl.engine settings of nitroxfips, sca6000, or ncipher_pkcs11. For more information on setting ssl.engine, see Selecting and Configuring SSL Engine [p. 18]. • Setting this property to false enables key resolution based on the information provided by the server.key.dir and server.key.list configuration properties. The file listing the keys, as specified in server.key.list, is a plain-text file with each line describing a single key and being composed of the following fields. Note that the square brackets (“[ ]”) imply that the given item is optional and that the brackets themselves should not be included in the actual entry. Note also that this file may also be used by other protocols, so entries of other types may also appear there. key_type, [app_name:]key_identifier[, comment] where: • key_type specifies whether the private key is contained in a PEM-encoded file or in a hardware accelerator token: 12 Data Center Real User Monitoring SSL Monitoring Administration Guide Chapter 2 ∙ Configuring SSL Monitoring on the AMD file key_type value file means that the private key is stored in a PEM-encoded file (possibly encrypted). token key_type value token means that the private key is stored in a hardware accelerator. • app_name is the application name within the nCipher context. The value of this parameter depends on, among other things, the method used for writing the key to the card. For example, if the following method is used: ./generatekey --import simple pemreadfile=/usr/adlex/config/keys/s1.key protect=module ident=s1 the application name is “simple” and the syntax of the entries in the list is: token, simple:key_identifier[, comment] To determine the value you need to enter for each key on the card, use the rocs command provided with your nCipher card. For example: # cd /opt/nfast/bin # ./rocs `rocs' key recovery tool Useful commands: `help', `help intro', `quit'. rocs> list keys No. Name App Protected by 1 k1 simple module rocs> exit For other accelerator cards, leave this field empty and do not include the colon in the syntax. • key_identifier identifies the key: ◦ For keys stored in files, it is the name of the PEM-encoded file that contains an RSA private key. ◦ For keys stored on the accelerator card, it is the key identifier as given by the utilities that list keys. Note that some engines distinguish between key identifiers and key labels. Both of these identification methods can be used in the keylist file. However, you may need to specify the type of identification used, by setting the searchKeyBy parameter of the ssl.engine.param property to id or label, as appropriate. See Selecting and Configuring SSL Engine [p. 18] for more information on configuring this option. For nCipher SSL cards, the identifier is an 8-digit hexadecimal value. For a NITROX XL FIPS Acceleration Board, the length of the identifier can vary. • The comment part in square brackets “[ ]” is an optional comment describing the entry in the line. Data Center Real User Monitoring SSL Monitoring Administration Guide 13 Chapter 2 ∙ Configuring SSL Monitoring on the AMD Table 1. RSA Key Handling Methods The following table lists the possible RSA key handling methods for the supported SSL engines. SSL Engine Entry of Type “file” in Entry of Type “token” keylist in keylist openssl YES nfast YES nshield YES Can Import All Keys from Token YES ncipher_pkcs11 YES YES nitrox YES YES sca6000 YES YES Example 1. Sample Entries with RSA Private Keys token,0A0412DC,key for 10.1.1.12 stored in hardware file,server1.pem,key for 10.1.1.36 on port 443 file,server2.pem,key for 10.1.1.36 on port 444 file,server2.pem,key for 10.1.1.36 on port 445 If the AMD is connected to a Central Analysis Server installation, then, for SSL decryption to be used for selected servers, add the service definitions for these servers using the report server graphical user interface, Monitoring Configuration. Add an application named, for example, “SSL decoded” and specify that the SSL (with decryption) analyzer is to be used for that application. Using a List File to Specify RSA Private Keys Create a text file containing the list of the private keys that are to be used for encryption on the AMD, with each entry containing a reference to a PEM-encoded file or a key stored on the accelerator card. Before You Begin For the purpose of this procedure, it is assumed that you are using OpenSSL and have the required PEM-encoded keys ready. Key extraction is described in Extracting Web Server Private SSL Keys [p. 79]. To use a list file to specify RSA private keys: 1. Ensure that the AMD is configured to use keys listed in the list file. Edit the rtm.config configuration file and make sure that the ssl.import.all.keys.from.token configuration property is set to false: ssl.import.all.keys.from.token=false 2. 14 Optional: Specify the directory to store the list file and the PEM-encoded key files. Data Center Real User Monitoring SSL Monitoring Administration Guide Chapter 2 ∙ Configuring SSL Monitoring on the AMD This directory is, by default, /usr/adlex/config/keys. You do not need to modify this setting unless you want to store the files in a different location. To change the configuration, edit the rtm.config configuration file and modify the server.key.dir configuration property. The following example line shows the default setting: server.key.dir=/usr/adlex/config/keys 3. Optional: Specify the name of the list file. The default name of the file listing the keys is keylist. You do not need to modify this setting unless you want to use a different file name. To change the configuration, edit the rtm.config configuration file and modify the server.key.list configuration property. The following example line shows the default setting: server.key.list=keylist Note that the file lists the keys to be used, but does not provide a mapping of servers to keys. This is because the AMD is able to match keys to SSL sessions automatically. The advantage of this approach—of not mapping a specific IP address of the server to the private key—is that servers residing behind load balancers can also be monitored, even though the same IP address is then apparently using a number of different SSL private keys. 4. Optional: Copy all key PEM-encoded key files to the correct directory. All the PEM-encoded key files—if any are to be used—should be copied to the directory specified in the server.key.dir configuration property. Example 2. Copying RSA Key Files Copying an individual file: # cp key1.pem /usr/adlex/config/keys/ or all the *.pem files in the current working directory: # cp *.pem /usr/adlex/config/keys/ 5. Optional: Write keys to the accelerator card. If an accelerator card is to be used, you may need to write the keys to the card before they can be used for encryption. Keys written to the card are referred to as “tokens”. Using tokens is more secure and therefore is recommended if the accelerator cards supports this option. For more information, see Management of RSA Private Keys on AMD [p. 12]. The commands used for managing – listing, organizing, and storing – keys on an accelerator card are specific to the card and are described in topics dedicated to individual cards: Installing and Configuring NITROX XL FIPS Acceleration Board [p. 20], Installing and Configuring an nCipher SSL Card on a 32-bit AMD [p. 26] Installing and Configuring an nCipher SSL Card on a 64-bit AMD [p. 31] Installing and Configuring Sun Crypto Accelerator 6000 PCIe Card [p. 36] 6. Optional: For nCipher cards on a 32-bit platform only, determine the values of the key application names. Data Center Real User Monitoring SSL Monitoring Administration Guide 15 Chapter 2 ∙ Configuring SSL Monitoring on the AMD These parameters are used only for nCipher keys on 32-bit platforms. To determine the value of the nCipher application name, use the rocs command provided with your nCipher card. For example: # cd /opt/nfast/bin # ./rocs `rocs' key recovery tool Useful commands: `help', `help intro', `quit'. rocs> list keys No. Name App Protected by 1 k1 simple module rocs> exit In the above example, the name of the application is “simple”. 7. Optional: Specify the type of identification to be used as id or label. For engine values of ncipher_pkcs11 and sca6000, the searchKeyBy parameter of the ssl.engine.param property can be set to id or label with the following default values for the respective engines: ncipher_pkcs11 Default key identification is by label. sca6000 Default key identification is by key identifier. Example 3. Specify the Type of Identification to be Used ssl.engine.param=searchKeyBy:id 8. Determine the values of the key identifiers for keys stored on the accelerator card. For keys stored in files, it is the name of the PEM-encoded file that contains an RSA private key. For keys stored on the accelerator card, it is the key identifier as given by the utilities that list keys. For the appropriate engines, distinguish between key identifiers and key labels as specified in Step 7 [p. 16]. For CryptoSwift and nCipher SSL cards, the identifier is an 8-digit hexadecimal value. For a NITROX XL FIPS Acceleration Board, the length of the identifier can vary. The commands used for managing – listing, organizing, and storing – keys on an accelerator card, are specific to the card and are described in topics dedicated to individual cards: Installing and Configuring NITROX XL FIPS Acceleration Board [p. 20], Installing and Configuring an nCipher SSL Card on a 32-bit AMD [p. 26] Installing and Configuring an nCipher SSL Card on a 64-bit AMD [p. 31] Installing and Configuring Sun Crypto Accelerator 6000 PCIe Card [p. 36] 9. Create the list file. Use a text editor to create and edit the list file as a plain text file. The file should be located in the directory specified in the server.key.dir configuration property and named as specified in the server.key.list configuration property. 16 Data Center Real User Monitoring SSL Monitoring Administration Guide Chapter 2 ∙ Configuring SSL Monitoring on the AMD Each line should describe a single key and be composed of the following fields. Note that the square brackets (“[ ]”) imply that the given item is optional, and the brackets themselves should not be included in the actual entry. key_type, [app_name:]key_identifier[, comment] where: • key_type specifies whether the private key is contained in a PEM-encoded file or in a hardware accelerator token: file key_type value file means that the private key is stored in a PEM-encoded file (possibly encrypted). token key_type value token means that the private key is stored in a hardware accelerator. • app_name is the application name within the nCipher context. NOTE Specify this field only for nCipher cards, as explained in Step 6 [p. 15], and only in the case of files stored on the accelerator card. For other accelerator cards, or for files stored in PEM-encoded files, leave this field empty and do not include the colon in the syntax. • • key_identifier identifies the key: ◦ For keys stored in files, it is the name of the PEM-encoded file that contains an RSA private key. ◦ For keys stored on the accelerator card, it is the key identifier as given by the utilities that list keys. The comment part is optional. Example 4. Sample Entries Listing RSA Private Keys token,0A0412DC,key for 10.1.1.12 stored in file,server1.pem,key for 10.1.1.36 on port file,server2.pem,key for 10.1.1.36 on port file,server2.pem,key for 10.1.1.36 on port hardware 443 444 445 10. Optional: Delete PEM files after keys have been loaded into the accelerator. After the keys have been loaded into the accelerator, it is advised, for security reasons, that the PEM files be deleted. You can securely delete the source files, by means of the shred command. This is a Linux command that allows secure deletion so that the information stored in the deleted file is not simply un-referenced by the file system but is actually overwritten. This makes it impossible for any disk recovery tool to re-create the deleted file. Use the -fuz options to the shred command to hide the shredding operation by overwriting the file with 0s and to Data Center Real User Monitoring SSL Monitoring Administration Guide 17 Chapter 2 ∙ Configuring SSL Monitoring on the AMD actually delete the file name form the directory listing while overriding any read protection. For example: [root@amd-35 keys]# shred -fuz my.pem CAUTION Secure deletion is not a necessary step. This is a security measure that you can follow if you do not want the un-encrypted file to remain on the system. Remember that this command removes the file without any means of recovering the removed information. 11. Optional: If using OpenSSL and the kpadmin utility, re-start the kpa daemon and re-run the kpadmin. After updating the keylist file you need to re-start the kpa daemon and re-run the kpadmin utility. For more information, see Using KPA to Make Keys Available to the AMD Process [p. 45]. 12. Apply the configuration changes. When the configuration is changed, apply the changes to the AMD. To do so, log on to the AMD as user root and execute the following commands: # ndstop # ndstart This restarts the AMD and applies the configuration changes. What to Do Next If the AMD is connected to a Central Analysis Server installation, then, for SSL decryption to be used for selected servers, add software service definitions for these servers using RUM Console. Add a software service (named, for example, “SSL decoded”) and specify that the SSL (with decryption) analyzer is to be used for that definition. SSL Hardware Accelerator Cards If the SSL card has been installed in the AMD during the manufacturing process, the software is also installed and it detects the card without the need for additional configuration. If, however, the AMD is upgraded and a new SSL accelerator card is added, you must install and configure the device driver. For the list of supported hardware accelerator cards see Tested Cards in the Data Center Real User Monitoring Hardware Recommendations. Selecting and Configuring SSL Engine To configure SSL monitoring, you must select the SSL engine to be used, which defines the type of accelerator card used or refers to software decryption. 18 Data Center Real User Monitoring SSL Monitoring Administration Guide Chapter 2 ∙ Configuring SSL Monitoring on the AMD Selecting Engine Type The type of the accelerator card is set in the configuration file rtm.config, in the configuration property named ssl.engine. The value to use depends on the accelerator card: openssl (for OpenSSL) nshield (for nShield 32-bit platform) nfast (for nFast 32-bit platform) ncipher_pkcs11 (for nShield 64-bit platform) nitroxfips (for NITROX) sca6000 (for Sun Crypto Accelerator 6000 – supported but not recommended) Example usage: ssl.engine=nitroxfips Specifying the Number of Dedicated Threads For the SSL cards that operate in synchronous mode, AMD spawns dedicated threads to wait for SSL operations on the accelerator. You can increase the number of threads to be executed for the given SSL engine by setting the ssl.engine.param=threads:number configuration property in the rtm.config file. Specifying more than one thread may improve performance, depending on the performance capacity of the card. The SSL engines for which this setting is supported are: openssl ncipher_pkcs11 sca6000 Specifying the Key Search Criteria for the SSL Engine The following engines distinguish between key identifiers and key labels. Both of these identification methods can be used to identify the keys in the keylist file. However, you may need to specify the type of identification to be used by editing the rtm.config file and setting the searchKeyBy parameter of the ssl.engine.param property to id or label, as appropriate. ncipher_pkcs11 Default key identification is by label. sca6000 Default key identification is by key identifier. Example usage: ssl.engine.param=searchKeyBy:id Applying the Configuration Changes When the SSL engine type is chosen and other configuration changed according to your SSL accelerator, apply the changes to the AMD. To do so, log on to the AMD as user root and execute the following commands: # ndstop # ndstart Data Center Real User Monitoring SSL Monitoring Administration Guide 19 Chapter 2 ∙ Configuring SSL Monitoring on the AMD This restarts the AMD and applies all of the configuration changes. You can also verify that the changes are applied correctly by using the command show SHOW SSLDECR STATUS. For more information, see SHOW SSLDECR STATUS [p. 76] and SSL-Related rcon Commands [p. 67]. Installing and Configuring NITROX XL FIPS Acceleration Board If a new NITROX XL FIPS Acceleration Board has been added to your AMD (inserted into a free PCI slot), you need to install the appropriate software. See Upgrading the AMD Software in the Data Center Real User Monitoring Agentless Monitoring Device Installation Guide for information about upgrading the AMD. In addition to ensuring that the driver software is installed on the AMD, the accelerator card has to be initialized by creating superuser and user accounts, each with a password, as explained below. The configuration is performed using the nitrox-setup command line utility. NOTE • NITROX XL FIPS Acceleration Board is referred to as “Cavium NITROX XL CN1120-NFB Hardware Security Module” or just “HSM”, in the configuration utility user interface, as described below. All of these names refer to the same entity. • FIPS mode 140-2 Level 3 is referred to as “FIPS mode: on” in the configuration utility user interface. • FIPS mode 140-2 Level 2 is referred to as “FIPS mode: off” in the configuration utility user interface. Supported NITROX XL FIPS Acceleration Board Security Levels The NITROX XL FIPS Acceleration Board, model CN1120-350-NFB-1.1-G, can be configured to operate in the following security modes: FIPS 140-2 Level 3 high security mode where it requires to be connected to a Pin Entry Device (PED). FIPS 140-2 Level 2 mode, also referred to as the non-FIPS mode where connection to a PED device is not required and all operations on the card are performed solely through the hosting computer, that is through your AMD. You can use either of these modes for NITROX XL FIPS Acceleration Boards installed in an AMD. Decide which mode to use, based on your specific security needs. For further information about security levels, refer to the Cavium Networks NITROX documentation. Invoking Acceleration Board Management Utility The nitrox-setup utility, located in /opt/nitrox_fips/bin, is used to perform configuration and management operations on the hardware security module as well as to facilitate actual card operation. In addition to this software management utility, a Pin Entry Device (PED) might also be required to configure and operate the hardware security module, depending on the selected security level. 20 Data Center Real User Monitoring SSL Monitoring Administration Guide Chapter 2 ∙ Configuring SSL Monitoring on the AMD To invoke the hardware security module management utility, log in to the AMD and execute the command: /opt/nitrox_fips/bin/nitrox-setup On startup, the utility displays a menu and information about the current hardware security module label and security level. Example 5. NITROX Setup Menu and Configuration Information Agentless Monitoring Configuration and management of Cavium NITROX XL FIPS Hardware Security Module (HSM) HSM label: testLabel1, HSM FIPS mode: off, USER logged in: no 1 - Display HSM status 2 - Initialize HSM 3 - Login as USER 4 - Logout USER 5 - Add RSA private key 6 - Remove RSA private key 7 - List RSA private keys X - Exit Select option and press [ENTER]: The exact function of the menu items is as follows: Display HSM Status Displays current status information, including serial number, firmware version, memory size, capabilities, and policies. Initialize HSM Initializes the card. This includes defining the security level, specifying SO and USER passwords or configuring and initializing PED keys. It also involves deleting all of the RSA keys currently stored on the card. Login as USER Logs into the card as USER. Logout USER Logs USER out of the card. Add RSA private key Imports an RSA private key to the hardware security module. Remove RSA private key Deletes an RSA private key from the hardware security module. List RSA private keys Lists RSA private keys stored on the hardware security module. Exit Exits the hardware security module management utility. Initializing the NITROX XL FIPS Acceleration Board Before the card can be used, it has to be initialized. This includes defining the security level, specifying SO and USER passwords, or configuring and initializing the PED keys. It also involves deleting all of the keys currently stored on the card. Data Center Real User Monitoring SSL Monitoring Administration Guide 21 Chapter 2 ∙ Configuring SSL Monitoring on the AMD The actual operation of writing initialization information to the acceleration board or deletion of RSA key information is performed in the last step of the initialization dialog. It is therefore possible to abort the initialization process at any point before the final confirmation. Initializing the hardware security module card will result in the deletion of all currently stored key information. To abort initialization before the final confirmation, type [Ctrl-C] to exit the hardware security module management utility. To initialize the NITROX XL FIPS accelerator: 1. Select the initialization option from the menu. To initialize the card, select the Initialize HSM option from the nitrox-setup menu. 2. Select the security level. You are prompted whether the hardware security module is to be initialized in the FIPS high security mode (mode 140-2 Level 3) requiring the use of a PED device. The selection depends on your particular security requirements. Answer “y” for Yes or “n” for No, as appropriate. If you select the FIPS high security mode, you are prompted to initialize the PED keys. Refer to Cavium Network PED documentation for information about how to use PED and PED keys. If you select the non-FIPS mode, FIPS mode 140-2 Level 2, you are prompted to type the new SO and USER passwords. 3. Provide a new acceleration board label. You are prompted for a new acceleration board label. This is an identification string written to the acceleration board. 4. Log in as the security officer (user SO). To proceed with further initialization steps, nitrox-setup attempts to log you onto the card as the security officer (user SO). So, depending on the current security level (not the level you have just selected, but the currently active one) you will either supply the current SO password or the SO (blue) PED key with a PIN. The factory default setting is non-FIPS, FIPS mode 140-2 Level 2. The default password can be found in the card manufacturer's documentation or in the /opt/nitrox_fips/doc/Utils_README.txt file, in the section entitled Initializing the board. If the FIPS high security (140-2 Level 3) mode is used, all PED operations, including SO identification, are deferred until you confirm initialization (see the last step of this procedure). CAUTION Three consecutive unsuccessful entries of the SO password cause a hardware security module reset. 5. Provide new SO and USER passwords. As part of initialization, you are prompted to supply a new security identification for user SO and user USER. If you are using the non-FIPS mode (FIPS mode 140-2 Level 2), enter the new passwords for each of these users. In the FIPS high security mode 140-2 Level 3, use a PED device and the appropriate keys. 6. 22 Confirm initialization. Data Center Real User Monitoring SSL Monitoring Administration Guide Chapter 2 ∙ Configuring SSL Monitoring on the AMD Finally, you are prompted to confirm all of the above settings. Confirming initialization at this stage causes the hardware security module to be initialized as specified. If there were any PED operations pending, such as SO authorization or initialization of PED keys, they are performed now. Refer to the PED manufacturer's documentation for information about initializing and using PED keys. Note that the security officer (SO) will be logged out automatically as part of the initialization step. CAUTION The initialization process must not be aborted after the above (final) confirmation, or the hardware security module may be left in an undefined state, particularly if PED keys are being used. To remedy this situation, the manufacturer of the card has provided the Cfm1Util utility. Once the card falls in the indeterminate state, this tool can be used to reinitialize the card. The Cfm1Util utility is provided with the card software and usage syntax is described in the card's documentation. Example 6. Initializing Hardware Security Module in non-FIPS mode (FIPS mode 140-2 Level 2) Agentless Monitoring Configuration and management of Cavium NITROX XL FIPS Hardware Security Module (HSM) HSM label: testLabel1, HSM FIPS mode: off, USER logged in: no 1 - Display HSM status 2 - Initialize HSM 3 - Login as USER 4 - Logout USER 5 - Add RSA private key 6 - Remove RSA private key 7 - List RSA private keys X - Exit Select option and press [ENTER]: 2 Initializing HSM... This step defines a new HSM label, security level and passwords and removes all RSA key information. Continue? (y or n): y Initialize HSM in FIPS mode (use of PIN Entry Device required)? (y or n): n Enter a new HSM label: testLabel1 ***************************************************************************** *** You need to enter the current HSM Security Officer (SO) password. *** *** WARNING: three consecutive unsuccessful entries will cause HSM reset! *** ***************************************************************************** Enter current HSM SO password: Enter a new HSM SO password (8 to 12 characters): Retype HSM SO password: Enter a new HSM USER password (8 to 12 characters, must be different from SO password): Retype HSM USER password: *** WARNING: all key information will be deleted from HSM. *** Continue? (y or n): y Starting HSM initialization... Login successful. Initialization successful. Press [ENTER] to continue... Data Center Real User Monitoring SSL Monitoring Administration Guide 23 Chapter 2 ∙ Configuring SSL Monitoring on the AMD Logging In and Out of the NITROX XL FIPS Acceleration Board The user USER must remain logged in order for AMD traffic monitoring software to be able to use the HSM card. Therefore, logging in is usually the first operation performed after AMD is re-started. Use the HSM management utility, nitrox-setup to log in and out of the HSM card as USER. HSM management operations, such as listing keys or adding or removing keys can only be performed if USER is logged in. Note that USER remains logged in after the nitrox-setup management utility exits, so you can exit the menu without causing USER to be logged out. To log in or out of the card, select Login as USER or Logout USER from the nitrox-setup menu. CAUTION For security reasons, ten consecutive unsuccessful login attempts disables the USER account. RSA Key Management on NITROX XL FIPS RSA key operations, including adding, deleting and listing stored keys, are performed using the nitrox-setup utility. Import the keys from unencrypted PEM files. Note that AMD with the hardware security module supports 1024-bit or 2048-bit RSA keys, even though 4096-bit keys can be stored on the hardware security module. For this reason, it is good practice, before loading they keys, to check the size of the keys, using the command: openssl rsa -in keyfile.pem -text Once keys are stored on the hardware security module, they are identified by hexadecimal numbers. Importing a Key to the Acceleration Board To import a new RSA key, select the Add RSA private key option from the nitrox-setup menu. Provide the appropriate PEM file name when prompted. If the specified file exists and contains a valid key, the key is imported with the default label PRV_KEY_IMPORT and a new key identifier is generated and displayed. Example 7. Importing an RSA Private Key Agentless Monitoring Configuration and management of Cavium NITROX XL FIPS Hardware Security Module (HSM) HSM label: testLabel1, HSM FIPS mode: off, USER logged in: yes 1 - Display HSM status 2 - Initialize HSM 3 - Login as USER 4 - Logout USER 5 - Add RSA private key 6 - Remove RSA private key 7 - List RSA private keys X - Exit Select option and press [ENTER]: 5 24 Data Center Real User Monitoring SSL Monitoring Administration Guide Chapter 2 ∙ Configuring SSL Monitoring on the AMD Enter the name of the file containing the RSA private key in PEM format: /usr/testuser/ssl/key1.pem Importing RSA private key from /user/testuser/ssl/key1.pem (key size 1024 bits)... RSA key imported successfully, key ID = 0x8 Press [ENTER] to continue... Listing the Keys Currently Stored on NITROX XL FIPS Acceleration Board To list the keys currently stored on the card, choose the List RSA private keys option from the menu. All currently stored private keys are listed. Each key is denoted by one line showing key identifier, label and size in bits. Note that when quoting the identifiers in the AMD configuration, you can use the identifier number with or without the leading 0x. Example 8. Listing All RSA Keys Agentless Monitoring Configuration and management of Cavium NITROX XL FIPS Hardware Security Module (HSM) HSM label: testLabel1, HSM FIPS mode: off, USER logged in: yes 1 - Display HSM status 2 - Initialize HSM 3 - Login as USER 4 - Logout USER 5 - Add RSA private key 6 - Remove RSA private key 7 - List RSA private keys X - Exit Select option and press [ENTER]: 7 Installed keys: key: 0x8, label: PRV_KEY_IMPORT, size: 1024 Command completed successfully Press [ENTER] to continue... Deleting a Key from the Acceleration Board To delete an RSA key from the hardware security module, select the Remove RSA private key option from menu. Example 9. Deleting an RSA Private Key Agentless Monitoring Configuration and management of Cavium NITROX XL FIPS Hardware Security Module (HSM) HSM label: testLabel1, HSM FIPS mode: off, USER logged in: yes 1 - Display HSM status 2 - Initialize HSM 3 - Login as USER 4 - Logout USER 5 - Add RSA private key 6 - Remove RSA private key 7 - List RSA private keys X - Exit Select option and press [ENTER]: 6 Enter hexadecimal ID (with optional 0x prefix) of the key to remove: 8 Removing key 0x8. Command completed successfully Press [ENTER] to continue... Data Center Real User Monitoring SSL Monitoring Administration Guide 25 Chapter 2 ∙ Configuring SSL Monitoring on the AMD RoHS Directive Compliance The RoHS Directive stands for “the restriction of the use of certain hazardous substances in electrical and electronic equipment”. The NITROX XL CN1120-350-NFB-1.1-G cards comply with the requirements of this directive, as opposed to the previous version of NITROX XL cards, marked with the symbol CN1120-NFB. Installing and Configuring an nCipher SSL Card on a 32-bit AMD You can install the nCipher nShield or nFast cards on a 32-bit AMD. Before You Begin • If a new nCipher accelerator card has been added to your AMD (inserted into a free PCI slot), you must install the appropriate software. See Upgrading the AMD Software in the Data Center Real User Monitoring Agentless Monitoring Device Installation Guide for information about upgrading your AMD. Execute the upgrade with the nCipher card already physically present in the machine. If the appropriate upgrade is executed, but without the physical card being present, and the card is added later, you will need to execute the /opt/nfast/sbin/install command as user root: NFAST_USER=root NFAST_GROUP=root /opt/nfast/sbin/install • The nCipher nShield requires that the computer on which they are installed has a security world installed on it, which is a collection of security files. The following procedure includes creating security world files for the nCipher card and initializing the card with the security world. If you have already created a suitable security world on another computer, you can copy the files to the AMD. You can also initialize the card on the other system before installing it in the AMD. For details about creating a security world and initializing an accelerator card with a given security world, refer to the nCipher documentation. You must also add a dedicated boot parameter. To configure a newly installed nCipher SSL accelerator: 1. Add a kernel boot parameter. Edit the /boot/grub/grub.conf file and append the pci=nommconf string to the end of each kernel line. For example: #boot=/dev/hda default=0 timeout=5 splashimage=(hd0,0)/grub/splash.xpm.gz hiddenmenu title Red Hat Enterprise Linux Client (2.6.18-92.el5PAE) root (hd0,0) kernel /boot/vmlinuz-2.6.18-53.el5 ro root=/dev/VolGroup00/LogVol00 pci=nommconf initrd /boot/initrd-2.6.18-53.el5.img Save the file and reboot the AMD. 2. Configure the security world and initialize the card (for nShield only). To copy the security world from another system, copy the host data directory, kmdata, from that system to the /opt/nfast directory on the AMD machine. 26 Data Center Real User Monitoring SSL Monitoring Administration Guide Chapter 2 ∙ Configuring SSL Monitoring on the AMD To define a new security world perform the following actions. NOTE To configure the card, change the settings of the M-O-I slider on the outside of the card to make the card go into pre-initialization mode or operational mode. However, the function of the slider may be overridden by an M-O-I override mechanism, that is found on the card itself, in the form of two little (most likely yellow) switches. When they are in the On position, the M-O-I slider switch on the outside of the card is not functional and the card is locked in operational mode. The M-O-I override switches are intended to prevent switching the card into a different mode by accident. When you are configuring the card, the override switches must be in the Off position. More details about the override switches can be found in the nCipher Hardware Installation guide. a. Log in to the host computer as user root. b. Select pre-initialization mode. Set the module switch on the back panel of the card to the I position. c. Clear the module. /opt/nfast/bin/nopclearfail ca d. Create the security world. /opt/nfast/bin/new-world -m 1 -s 0 -Q 2/3 -k rijndael The above command creates a FIPS Level 2 compliant security world with OCS recovery and replacement enabled and a 2/3 ACS. The security world is protected by an AES key. NOTE If the new-world or nopclearfail utility returns an error, check that the mode switch on the back panel is fully in the correct position and then re-run the command. If the error is persistent, reboot the AMD device. The new-world utility prompts you to insert a smart card to be written as an Administrator Card. e. f. Insert a blank smart card and then press [Enter]. Enter the pass phrase. When prompted by the new-world utility, type a pass phrase for the Administrator Card and then press [Enter]. g. Confirm the pass phrase. When prompted by the new-world utility, confirm the pass phrase. The new-world utility displays a message confirming that the card has been written and prompts you to insert the next smart card. h. Continue the process until the required number of smart cards are written. After the required number of smart cards are written, the new-world utility displays a message saying that the security world has been generated. Data Center Real User Monitoring SSL Monitoring Administration Guide 27 Chapter 2 ∙ Configuring SSL Monitoring on the AMD i. Select operational mode. Set the module switch on the back panel of the card to the O position. j. Clear the module. /opt/nfast/bin/nopclearfail ca For additional details about creating a security world and initializing an accelerator card with a given security world, refer to the nCipher documentation. k. Check the status of the security world. /opt/nfast/bin/nfkminfo The World and Module should show as Usable in the state field, as on the following example output: [root@vantageamd bin]# /opt/nfast/bin/nfkminfo World generation 2 state 0x17270000 Initialized Usable Recovery !PINRecovery !ExistingClient RTC NVRAM FTO SEEDebug n_modules 1 hknso 2f8bd0927068618e257a4560ff713840f741dd57 hkm 86cb6d0125ae2e00b19e8ce2cfce55c7a7383ced (type Rijndael) hkmwk 1d572201be233ebc89f30fdd8f3fac6ca3395bf0 hkre ff96d3d69cc320ab6888cef38dfeac8e7875c2d4 hkra a228ebadeec32ce65bc47787dd85ce4d4b1e295b hkmc ec303befbdae88b3d241fe8399fcccf7183f6741 hkrtc 1ee7f656958c74f7ab435bbbd292859825939f69 hknv 93a18da953d98850137dfe241c0b660ebde73417 hkdsee c40cd7127ebc544d162681db602a8b10cd2d8b9d hkfto c0b65dfe6ce2ae268b3ba4683f2a282c1ce07ae3 hkmnull 0100000000000000000000000000000000000000 ex.client none k-out-of-n 1/1 other quora m=1 r=1 nv=1 rtc=1 dsee=1 fto=1 createtime 2010-10-19 12:39:46 nso timeout 10 min Module #1 generation state flags n_slots esn hkml 2 0x2 Usable 0x10000 ShareTarget 2 77C2-2D3A-808B b09f35252189ecf88857c3cb21b53d2276eb7382 Module #1 Slot #0 IC 0 3. Add SSL private keys to the card (for nShield only). To add SSL private keys to an nShield accelerator card (to a card that is capable of storing SSL key information), use the generatekey command. For details about using this command, refer to the nCipher documentation. Example 10. Example of adding a new private key to an nCipher card a. Place the file containing the key (for example, s1.key) in /usr/adlex/config/keys b. Change directory to /opt/nfast/bin: cd /opt/nfast/bin c. 28 Run the command to store the key on the card: Data Center Real User Monitoring SSL Monitoring Administration Guide Chapter 2 ∙ Configuring SSL Monitoring on the AMD ./generatekey --import simple pemreadfile=/usr/adlex/config/keys/s1.key protect=module ident=s1 pemreadfile (entered as /usr/adlex/config/keys/s1.key in the above example) is the path to the SSL key you are importing. ident (entered as s1 in the above example) is the key identifier: it can be composed of any number of digits and lowercase letters; it cannot contain spaces, underscores (_), or hyphens (-). After executing the above command, you are presented with the following prompts that require input: Key type? (RSA, DES3, DES2) [RSA] > Input the type of key you are importing. Typically this is an RSA key, so type RSA, then press [Enter]. Key name? [] > Enter a name for the key you are importing and press [Enter]. Blob in NVRAM (needs ACS)? (yes/no) [no] > You are prompted to save the key blob in NVRAM. It is recommended that you answer no, then press [Enter]. This is for ease and simplicity of administration. Answering yes requires you to insert the Administrator smart card for this step and potentially any subsequent operation performed on this key. After answering all the above prompts correctly, the following message appears: Key successfully imported 4. List the keys stored on the card (for nShield only). To obtain a key identifier for the AMD configuration, you need to list the keys currently stored on the card and in the security world. Use the following utilities to obtain the information about available keys: • The list keys command from the command-line utility /opt/nfast/bin/rocs. Example 11. Example Output of the list keys Command rocs> list keys No. Name App Protected by 1 s1name simple module 2 s2name simple module • The nfkminfo command. Example 12. Example Output of the nfkminfo Command /opt/nfast/bin/nfkminfo -k Key list - 1 keys AppName simple Ident s1 5. Modify AMD configuration settings. Data Center Real User Monitoring SSL Monitoring Administration Guide 29 Chapter 2 ∙ Configuring SSL Monitoring on the AMD a. Verify SSL engine setting If the AMD software has been upgraded correctly for the given nCipher card (see prerequisites above), the configuration file /usr/adlex/config/rtm.config contains the appropriate engine name: nshield or nfast. For example, for nShield it is: ssl.engine=nshield Verify that this entry has been set correctly. b. Append a new entry for your key in the /usr/adlex/config/keys/keylist file. Set the KEY_TYPE attribute as token for a hardware key stored on the accelerator card or file for keys stored in disk files. All of the above nCipher cards (nShield and nFast) can use keys of type file, but only nShield can store keys on the card. The KEY_IDENTIFIER should be specified as given by the utilities that list keys. See Step 4 [p. 29] for details. For more information, see Management of RSA Private Keys on AMD [p. 12]. 6. Verify the installation. nCipher accelerator cards require the presence of two services: the nc_drivers service loads and unloads the nfp driver and the nc_hardserver service starts and stops the hardserver module. These services are installed as part of the upgrade procedure; see the prerequisites at the start of this topic. The installation process also scheduled the services to be started automatically on system startup. You can use the ntsysv and chkconfig commands to verify that this has been configured correctly. If you need to stop or start the services manually, use the standard Linux service commands. For example, to start the services, run the commands: service nc_drivers start and service nc_hardserver start You can also use the following single command to complete both actions: /opt/nfast/sbin/init.d-ncipher start To confirm that the services are running, use the lsmod command to check if the module nfp has been correctly loaded and use the /opt/nfast/bin/chkserv or /opt/nfast/bin/enquiry command to confirm that the hardserver module has been executed. If the modules are not loaded, contact Customer Support. Example output from the lsmod command with the nfp module listed as loaded: Module nfp e1000_rtm audit tg3 floppy sg microcode keybdev mousedev hid input ehci-hcd 30 Size 22880 209856 90840 68936 57520 37388 6912 2944 5688 22532 6176 20776 Used by Not tainted 2 (autoclean) 2 2 (autoclean) 1 0 (autoclean) 0 (autoclean) 0 (autoclean) 0 (unused) 0 (unused) 0 (unused) 0 [keybdev mousedev hid] 0 (unused) Data Center Real User Monitoring SSL Monitoring Administration Guide Chapter 2 ∙ Configuring SSL Monitoring on the AMD usb-uhci usbcore ext3 jbd ips sd_mod scsi_mod 26796 81152 89896 55092 45348 14160 115496 0 1 2 2 3 6 3 (unused) [hid ehci-hcd usb-uhci] [ext3] [sg ips sd_mod] Example output from the chkserv command with the hardserver module loaded: nCipher server running Example output from the enquiry command with the hardserver module loaded: nServer: enquiry reply flags enquiry reply level serial number.... ... Module #1: enquiry reply flags enquiry reply level serial number... ... none Six none Six Installing and Configuring an nCipher SSL Card on a 64-bit AMD For the nCipher SSL accelerator cards, currently only the nShield card is supported under 64-bit AMD. Before You Begin • If a new nCipher accelerator card has been added to your AMD (inserted into a free PCI slot), you must install the appropriate software. See Upgrading the AMD Software in the Data Center Real User Monitoring Agentless Monitoring Device Installation Guide for information about upgrading your AMD. Execute the upgrade with the nCipher card already physically present in the machine. If the appropriate upgrade is executed, but without the physical card being present, and the card is added later, you will need to execute the /opt/nfast/sbin/install command as user root: NFAST_USER=root NFAST_GROUP=root /opt/nfast/sbin/install • The nCipher nShield requires that the computer on which they are installed has a security world installed on it, which is a collection of security files. The following procedure includes creating security world files for the nCipher card and initializing the card with the security world. If you have already created a suitable security world on another computer, you can copy the files to the AMD. You can also initialize the card on the other system before installing it in the AMD. For details about creating a security world and initializing an accelerator card with a given security world, refer to the nCipher documentation. You must also add a dedicated boot parameter. To configure a newly installed nCipher SSL accelerator: 1. Add a kernel boot parameter. Data Center Real User Monitoring SSL Monitoring Administration Guide 31 Chapter 2 ∙ Configuring SSL Monitoring on the AMD Edit the /boot/grub/grub.conf file and append the pci=nommconf string to the end of each kernel line. For example: #boot=/dev/hda default=0 timeout=5 splashimage=(hd0,0)/grub/splash.xpm.gz hiddenmenu title Red Hat Enterprise Linux Client (2.6.18-92.el5PAE) root (hd0,0) kernel /boot/vmlinuz-2.6.18-53.el5 ro root=/dev/VolGroup00/LogVol00 pci=nommconf initrd /boot/initrd-2.6.18-53.el5.img Save the file and reboot the AMD. 2. Configure the security world and initialize the card (for nShield only). To copy the security world from another system, copy the host data directory, kmdata, from that system to the /opt/nfast directory on the AMD machine. To define a new security world perform the following actions. NOTE To configure the card, change the settings of the M-O-I slider on the outside of the card to make the card go into pre-initialization mode or operational mode. However, the function of the slider may be overridden by an M-O-I override mechanism, that is found on the card itself, in the form of two little (most likely yellow) switches. When they are in the On position, the M-O-I slider switch on the outside of the card is not functional and the card is locked in operational mode. The M-O-I override switches are intended to prevent switching the card into a different mode by accident. When you are configuring the card, the override switches must be in the Off position. More details about the override switches can be found in the nCipher Hardware Installation guide. a. Log in to the host computer as user root. b. Select pre-initialization mode. Set the module switch on the back panel of the card to the I position. c. Clear the module. /opt/nfast/bin/nopclearfail ca d. Create the security world. /opt/nfast/bin/new-world -m 1 -s 0 -Q 2/3 -k rijndael The above command creates a FIPS Level 2 compliant security world with OCS recovery and replacement enabled and a 2/3 ACS. The security world is protected by an AES key. NOTE If the new-world or nopclearfail utility returns an error, check that the mode switch on the back panel is fully in the correct position and then re-run the command. If the error is persistent, reboot the AMD device. 32 Data Center Real User Monitoring SSL Monitoring Administration Guide Chapter 2 ∙ Configuring SSL Monitoring on the AMD The new-world utility prompts you to insert a smart card to be written as an Administrator Card. e. f. Insert a blank smart card and then press [Enter]. Enter the pass phrase. When prompted by the new-world utility, type a pass phrase for the Administrator Card and then press [Enter]. g. Confirm the pass phrase. When prompted by the new-world utility, confirm the pass phrase. The new-world utility displays a message confirming that the card has been written and prompts you to insert the next smart card. h. Continue the process until the required number of smart cards are written. After the required number of smart cards are written, the new-world utility displays a message saying that the security world has been generated. i. Select operational mode. Set the module switch on the back panel of the card to the O position. j. Clear the module. /opt/nfast/bin/nopclearfail ca For additional details about creating a security world and initializing an accelerator card with a given security world, refer to the nCipher documentation. k. Check the status of the security world. /opt/nfast/bin/nfkminfo The World and Module should show as Usable in the state field, as on the following example output: [root@vantageamd bin]# /opt/nfast/bin/nfkminfo World generation 2 state 0x17270000 Initialized Usable Recovery !PINRecovery !ExistingClient RTC NVRAM FTO SEEDebug n_modules 1 hknso 2f8bd0927068618e257a4560ff713840f741dd57 hkm 86cb6d0125ae2e00b19e8ce2cfce55c7a7383ced (type Rijndael) hkmwk 1d572201be233ebc89f30fdd8f3fac6ca3395bf0 hkre ff96d3d69cc320ab6888cef38dfeac8e7875c2d4 hkra a228ebadeec32ce65bc47787dd85ce4d4b1e295b hkmc ec303befbdae88b3d241fe8399fcccf7183f6741 hkrtc 1ee7f656958c74f7ab435bbbd292859825939f69 hknv 93a18da953d98850137dfe241c0b660ebde73417 hkdsee c40cd7127ebc544d162681db602a8b10cd2d8b9d hkfto c0b65dfe6ce2ae268b3ba4683f2a282c1ce07ae3 hkmnull 0100000000000000000000000000000000000000 ex.client none k-out-of-n 1/1 other quora m=1 r=1 nv=1 rtc=1 dsee=1 fto=1 createtime 2010-10-19 12:39:46 nso timeout 10 min Module #1 generation state flags n_slots esn hkml 2 0x2 Usable 0x10000 ShareTarget 2 77C2-2D3A-808B b09f35252189ecf88857c3cb21b53d2276eb7382 Data Center Real User Monitoring SSL Monitoring Administration Guide 33 Chapter 2 ∙ Configuring SSL Monitoring on the AMD Module #1 Slot #0 IC 0 3. Add SSL private keys to the card. To add SSL private keys to an nShield accelerator card (to a card that is capable of storing SSL key information), use the generatekey command. For details on how to use this command, please refer to the nCipher documentation. Example 13. Example of Adding a New Private Key to an nCipher Card a. Place the file containing the key (for example, s1.key) in /usr/adlex/config/keys b. Change directory to /opt/nfast/bin: cd /opt/nfast/bin c. Run the command to store the key on the card: ./generatekey --import pkcs11 pemreadfile=/usr/adlex/config/keys/s1.key plainname=s1name ident=s1 protect=module type=RSA nvram=no pemreadfile (entered as /usr/adlex/config/keys/s1.key in the above example) is the path to the SSL key you are importing. The value of plainname can then be used for the creation of a keylist file, if the search mechanism is set to label (searchKeyBy parameter set to label). It can be composed of any number of digits and lowercase letters; it cannot contain spaces, underscores (_), or hyphens (-). The above command produces output of the following layout: key generation parameters: operation Operation to perform import application Application pkcs11 verify Verify security of key yes type Key type RSA pemreadfile PEM file containing RSA key /usr/adlex/config/keys/s1.key ident unknown parameter s1 plainname Key name s1name nvram Blob in NVRAM (needs ACS) no Key successfully imported. Path to key: /opt/nfast/kmdata/local/key_pkcs11_uacce696c77c25cbb1fecbecef0adbac4bae54e63b If you do not supply all of the necessary parameters to the above command, you are prompted for additional information. For example: Key type? (RSA, DES3, DES2) [RSA] > Input the type of key you are importing. Most commonly this is an RSA key, so type RSA, then press [Enter]. plainname key name? [] > Enter a name for the key you are importing and press [Enter]. Blob in NVRAM (needs ACS)? (yes/no) [no] > 34 Data Center Real User Monitoring SSL Monitoring Administration Guide Chapter 2 ∙ Configuring SSL Monitoring on the AMD You are prompted if you need to save the key blob in NVRAM. It is recommended that you answer no, then press [Enter]. This is for ease and simplicity of administration. Answering yes requires you to insert the Administrator smart card for this step and potentially any subsequent operation performed on this key. After answering all the above prompts correctly, a message appears: Key successfully imported 4. List the keys stored on the card (for nShield only). To obtain a key identifier for the AMD configuration, list the keys currently stored on the card and in the security world. Use the following utilities to obtain the information about available keys: • The list keys command from the command-line utility /opt/nfast/bin/rocs. Example 14. Example Output of the list keys Command rocs> list keys No. Name App Protected by 1 s1name pkcs11 module 2 s2name pkcs11 module • The pkcsmgr command. Example 15. Example Output of the pkcsmgr Command # /usr/adlex/rtm/bin/pkcsmgr list Using PKCS11 engine: ncipher_pkcs11 getting slotId from slotNum pkcsmgr slot #492971157, token (accelerator) listing keys type: CKO_PRIVATE_KEY/CKK_RSA, id: 2235e9df23d481260323868b77ce5bb134d97f1c, label: host2048-2, size: 256B type: CKO_PRIVATE_KEY/CKK_RSA, id: aa8458ed54ff9cf0a73a20aec4364aaaa32dea15, label: b02, size: 512B 5. Modify AMD configuration settings. a. Verify the SSL engine setting. If the AMD software has been upgraded correctly for the given nCipher card (see prerequisites above), the configuration file /usr/adlex/config/rtm.config contains the appropriate engine name: ssl.engine=ncipher_pkcs11 Verify that this entry has been set correctly. b. Append a new entry for your key in the /usr/adlex/config/keys/keylist file. If you have configured your AMD to use the keylist file to store the list of keys, append a new entry for your key to the file. The default full path to the file is /usr/adlex/config/keys/keylist. In the keylist file, set the key_type attribute as token for a hardware key stored on the accelerator card. The key identifier value should be specified as given by the utilities Data Center Real User Monitoring SSL Monitoring Administration Guide 35 Chapter 2 ∙ Configuring SSL Monitoring on the AMD that list keys. Note that the ncipher_pkcs11 engine distinguishes between key identifiers and key labels. Both of these identification methods can be used in the keylist file. However, you may need to specify the type of identification used by setting the searchKeyBy parameter of the ssl.engine.param property to id or label, as appropriate. For ncipher_pkcs11 the default is label. See Management of RSA Private Keys on AMD [p. 12] for information on configuring the AMD to use the keylist file or token and for information on how to format entries in the keylist file. See Selecting and Configuring SSL Engine [p. 18] for information on configuring the ssl.engine.param property. 6. Verify the installation Example output from the enquiry command; the hardserver module is loaded: nServer: enquiry reply flags enquiry reply level serial number.... ... Module #1: enquiry reply flags enquiry reply level serial number... ... none Six none Six Removing nCipher Security World To removed the security world, follow one of the two recommended procedures, depending if you need to create a new security world afterwards or not. If you need to remove a security world and replace it with a new one: 1. Delete the files in the directory to which the NFAST_KMDATA environment variable points. 2. Create a new security world. 3. Add all your modules to this world. If you need to remove completely a security world, without replacing it with a new one: 1. Remove all the modules from the security world. 2. Delete the files in the directory to which the NFAST_KMDATA environment variable points. For additional information refer to nCipher documentation. Installing and Configuring Sun Crypto Accelerator 6000 PCIe Card If a new Sun Crypto Accelerator 6000 PCIe card has been added to your AMD (inserted into a free PCI slot), you must install the appropriate software. See Upgrading the AMD Software in the Data Center Real User Monitoring Agentless Monitoring Device Installation Guide for information about upgrading your AMD. 36 Data Center Real User Monitoring SSL Monitoring Administration Guide Chapter 2 ∙ Configuring SSL Monitoring on the AMD In addition to ensuring that the driver software is present on the AMD, the accelerator card has to be configured. Initializing the Sun Crypto Accelerator 6000 PCIe Card Before the Sun Crypto Accelerator 6000 PCIe card can be used, it has to be initialized. Refer to the card manufacturer's instructions for details. The initialization procedure is thoroughly described in the card's user guide. The tool used to initialize the card is called scamgr. The command performs the following types of actions: • Initializes the card for first time use • Creates keystore • Creates security officer (SO) account • Creates ordinary user accounts The initialization process is performed in the following order: 1. Upon first invocation, the scamgr utility recognizes the card and asks for initialization. 2. The card can be initialized with a newly created keystore or with an existing one. 3. Keystore name and FIPS mode is defined. 4. Security Officer (SO) name and password are set. 5. Having accepted user choice, the card then takes several seconds to perform the actual initialization. 6. SO is asked to log in. After initialization, an ordinary user must be created. The user account is used to access keys and perform cryptographic operations. Note that to reinitialize the card, it must first be cleaned or zeroed to remove all key and user information using the scamgr or scadiag tool. If this is not possible, and as a last resort, the card can be cleaned by replacing a hardware jumper on the card, as described in card's user guide. Before moving the card to another system, it has to be zeroed on the system on which it was initialized. NOTE With this particular card, because of problems related to the card or card software, it may occasionally be necessary to reboot the system. Therefore, if any of the above actions fail, try restarting the system and then try the particular operation again. Example Zeroing and Initialization The following example shows how a card can be zeroed and then initialized and a security officer account created. cd /opt/sun/sca6000/sbin ./scadiag -z mca0 cd /opt/sun/sca6000/bin [root@x3650 bin]# ./scamgr Data Center Real User Monitoring SSL Monitoring Administration Guide 37 Chapter 2 ∙ Configuring SSL Monitoring on the AMD This board is uninitialized. You will now initialize the board. You may either initialize the board with a new configuration or restore the configuration from a device backup file. 1. Initialize board with new configuration 2. Initialize board from device backup file Your Choice (0 to exit) --> 1 Run in FIPS 140-2 mode? (Y/Yes/N/No) [No]: y Initial Security Officer Name: so1 Initial Security Officer Password: Confirm password: Board initialization parameters: ---------------------------------------------------------------Initial Security Officer Name: so1 Run in FIPS 140-2 Mode: Yes ---------------------------------------------------------------Is this correct? (Y/Yes/N/No) [No]: y Initializing crypto accelerator board. This may take a few minutes...The board is ready to be administered. As part of the initialization process, a new remote access key has been generated. The key fingerprint is listed below. This should be the fingerprint presented by the board the next time you connect to it. Key Fingerprint: f6f9-404e-5742-637c-1674-8465-11ca-3d1d-d731-e17b Security Officer Login: so1 Security Officer Password: scamgr{mca0@localhost, so1}> exit Example Keystore Creation The following example shows how a local keystore is created. [root@x3650 bin]# ./scamgr No keystore data returned by card Select Keystore: 1. Create new keystore 2. Load keystore from backup Selection (0 to exit)-> 1 FIPS Keystore Name: key1 Keystore type ([L]ocal/[C]entralized) [Local]: Initial Security Officer Name: so1 Initial Security Officer Password: Confirm password: Keystore creation parameters: ---------------------------------------------------------------Keystore Name: key1 Keystore Type: Local Initial Security Officer Name: so1 Run in FIPS 140-2 Mode: Yes ---------------------------------------------------------------Is this correct? (Y/Yes/N/No) [No]: y Creating keystore... key1.600321.{bd50fe75} successfully created. Example Creation of a User Account The following example shows how a user is created and enabled. [root@x3650 bin]# ./scamgr Select Keystore: 1. Create new keystore 38 Data Center Real User Monitoring SSL Monitoring Administration Guide Chapter 2 ∙ Configuring SSL Monitoring on the AMD 2. Load keystore from backup 3. key1.600321.{bd50fe75} (local) Selection (0 to exit)-> 3 Security Officer Login: so1 Security Officer Password: scamgr{mca0@localhost, so1}> create user user1 Enter new user password: Confirm password: User user1 created successfully. scamgr{mca0@localhost, so1}> scamgr{mca0@localhost, so1}> enable user User name: user1 User user1 enabled. scamgr{mca0@localhost, so1}> exit Sun Crypto Accelerator 6000 PCIe Card - Key and Card Management Key management is performed using the pkcsmgr utility that accesses the card though the openCryptoki framework. Invoking the pkcsmgr Utility The pkcsmgr utility is located in /usr/adlex/rtm/bin/pkcsmgr. You can invoke it from the operating system command line, either directly, by specifying the absolute path, or you can first modify your PATH environment variable to include the appropriate directory. Syntax of the pkcsmgr Utility Invoking the utility without any command line options and arguments, or with the -h option, displays the command syntax, explaining the available functionality, as shown below. [root@personal5 rtm-32bit]# ./bin/pkcsmgr -h Usage: pkcsmgr [-sSprwnNflvh] info|list|import|remove|login|logout|decrypt [command-options] Common options: -s slotid use PKCS11 slot ID -S slotnum use PKCS11 slot number (Execute 'pkcsmgr info' for a list of slots and IDs) -p passwd authenticate using 'passwd' password -r open read-only session -w open read-write session (default) -n open public session, do not authenticate -N open authenticated session (default) -f [long|hex] present/accept key ID as hexadecimal value (default) or as hexadecimal string -l path use specified PKCS11 library -v[v] be more verbose -h display this help message Commands: info display slot and token information list list all keys import import key from PEM file remove remove key decrypt decrypt a file with given key login login user logout logout user Note the following additional information: Data Center Real User Monitoring SSL Monitoring Administration Guide 39 Chapter 2 ∙ Configuring SSL Monitoring on the AMD • It is not necessary to log in to the card separately by specifying the login argument, in order to perform different operations. If you do not log in explicitly in such a way, you are prompted for a password every time you perform an operation. • Providing the -p password option eliminates the password prompt later, but does not log you in to the card for the purpose of subsequent commands • You must log in to the card as a user before the card can be used by the AMD traffic monitoring software. See detailed explanation below. • The -n option, to open a public session, is ignored if supplied together with the login command, since the latter opens a specific user session. • The -n option, to open a public session is used only for the software emulator and has no meaning for hardware accelerator cards. • Run the decrypt command to verify a key (to use a private key to decrypt a file encrypted with a public key). Each of the above command parameters, such as info, list, import and others, can accept additional options and arguments to perform the specified action. To display syntax for these specific commands, run the pkcsmgr utility and supply the given command, followed by the -h option, for example: pkcsmgr decrypt -h Following is a list of the individual commands and their specific options: info [-lh] -l long format list [-hlv] -l use long format -v display more details import -k file -I id -k file PEM file to read key from -I ID Hexadecimal ID of the key to create, specified with or without the leading 0x remove -I id -I ID Hexadecimal ID of the key to remove, specified with or without the leading 0x decrypt -f file -I id -f file file to decrypt -I ID Hexadecimal ID of the key to use, specified with or without the leading 0x login this command has no specific options logout this command has no specific options Logging In to the Card to Enable Traffic Monitoring You must log in to the card as a user before the card can be used by the AMD traffic monitoring software. Also note that logging in to the card, before performing other user actions, enables you to execute those actions without being prompted for password every time. In cases when you receive system error message: error validating password you must restart the AMD machine to be able to log in. 40 Data Center Real User Monitoring SSL Monitoring Administration Guide Chapter 2 ∙ Configuring SSL Monitoring on the AMD To log in to the card after machine restart, you have to stop the monitoring process first. Then, having logged in to the card, you need to restart the monitoring. The actions of stopping and re-starting monitoring can be performed using the ndstop and ndstart commands, though it is recommended that stopping and starting the rtm service is used instead as it is less intrusive for the operation of the AMD. After a system re-start, perform the following actions: • Stop the monitoring process by executing: /etc/init.d/rtm stop • Run the pkcsmgr command to log in to the card: pkcsmgr login • Start the monitoring process by executing: /etc/init.d/rtm start Example 16. Example of Logging In to the Card [root]# cd /usr/adlex/rtm/bin [root]# ./pkcsmgr login pkcsmgr slot #0, token sca6000 (user1) Enter the USER PIN: ************* login successful NOTE The USER PIN is entered in the following format: username:password Example of Displaying Slot and Token Information [root]# cd /usr/adlex/rtm/bin [root]# ./pkcsmgr info -l pkcsmgr slot #0, token sca6000 (user1) listing slots slot: #0, type: hardware, model: sca6000, label: zso, login: yes slot: #1, type: software, model: IBM SoftTok, label: IBM OS PKCS#11, login: no found 2 slot(s) Note the software token in slot #1: If you follow a standard installation procedure to configure your AMD and all its components, slot 0 is the actual hardware accelerator card, while a software token (emulator) is present in the logical slot 1. Example of Listing All of the Keys Currently on the Card [root]# cd /usr/adlex/rtm/bin [root]# ./pkcsmgr list -l pkcsmgr slot #0, token sca6000 (user1) listing keys type: CKO_PRIVATE_KEY/CKK_RSA, id: 0x1, label: s1, size: 128B found 1 key(s) Example of Removing the Keys from the Card [root]# cd /usr/adlex/rtm/bin [root]# ./pkcsmgr remove -i 1 pkcsmgr slot #0, token sca6000 (user1) removing key id 0x1 key 0x1 removed Data Center Real User Monitoring SSL Monitoring Administration Guide 41 Chapter 2 ∙ Configuring SSL Monitoring on the AMD Example of Importing Keys from PEM Files [root]# cd /usr/adlex/rtm/bin [root]# ./pkcsmgr import -k /var/pld/config/keys/s1.key -i 1 pkcsmgr slot #0, token sca6000 (user1) importing key key imported successfully Example of Logging Out of the Card [root]# cd /usr/adlex/rtm/bin [root]# ./pkcsmgr logout pkcsmgr slot #0, token sca6000 (user1) logout successful Additional Configuration Settings and Administration for Sun Crypto Accelerator 6000 PCIe Card The following information is of particular relevance to Customer Support and should be used to diagnose problems with your installation of the accelerator card. There should be no need to manually re-start the service or alter any of the following settings, if your system is functioning normally. Starting, Stopping, and Monitoring the Service To operate card the sca service should be started, using /etc/init.d/sca. The script performs the following actions: • loads sca modules, • starts sca, scakiod, and scad services, • configures the openCryptoki framework by invoking customized version of pkcs11_startup script, • starts openCryptoki pkcsslotd daemon. Stopping the sca service stops daemons and unloads drivers. The sca service has no dedicated status command. Therefore, to verify the status of the service, use the lsmod command. This command should produce the following output: mcactl mca scaf Also, use the ps -ax command, which should produce the following output: /opt/sun/sca6000/sbin/scakiod /opt/sun/sca6000/sbin/scad /usr/local/sbin/pkcsslotd The file /proc/driver/mca0 should be present and contain the accelerator board status. Additional Configuration Settings for Sun Crypto Accelerator 6000 PCIe Card The Sun Crypto Accelerator 6000 PCIe card is visible to the AMD as a token in a certain logical slot. For more information on these concepts, refer to PKCS#11 or openCryptoki documentation. 42 Data Center Real User Monitoring SSL Monitoring Administration Guide Chapter 2 ∙ Configuring SSL Monitoring on the AMD The following configuration property, in the rtm.config configuration file, defines the slot ID number to be used for by the traffic monitoring software. If you follow a standard installation procedure to configure your AMD and all its components, slot 0 is the actual hardware accelerator card, while a software token (emulator) is present in the logical slot 1. If the actual openCryptoki configuration is different on your particular AMD, you can use this configuration property to indicate the correct slot number to the AMD. ssl.engine.param=slotid:0 Reference Information for Sun Crypto Accelerator 6000 PCIe Card PKCS 11 The board functionality is managed according to PKCS#11: Cryptoki (Cryptographic Token Interface) Standard. The board support software uses openCryptoki as a PKCS#11 implementation. Please refer to the following web resources for further information: • PKCS#11: http://www.rsa.com/rsalabs/node.asp?id=2133 • openCryptoki: http://www.ibm.com/developerworks/library/s-pkcs/ and /usr/share/doc/openCryptoki-2.2.4/openCryptoki-HOWTO.pdf Using lspci Command To determine if the card is installed in the system, issue the lspci -v command. The output should appear as follows: 0d:0e.0 Network and computing encryption device: Sun Microsystems Computer Corp. Unknown device 5ca0 Flags: bus master, stepping, fast Back2Back, 66MHz, medium devsel, latency 64, IRQ 106 Memory at f8000000 Memory at cc000000 Capabilities: [c0] Capabilities: [d0] Capabilities: [e0] (64-bit, prefetchable) [size=1M] (32-bit, non-prefetchable) [size=64M] Power Management version 2 Message Signalled Interrupts: 64bit+ Queue=0/1 EnablePCI-X non-bridge device Sun Crypto Accelerator 6000 PCIe Card Known Issues There are a number of known issues with the Sun Crypto Accelerator 6000 PCIe Card and with the openCryptoki software. The following sections give a brief description of common problems and suggested workarounds. If the measures described below do not resolve a problem, contact Customer Support. sca Service Hangs Up The sca service can hang up occasionally when stopping or starting. There is no known remedy for this problem. Ensure all applications using the accelerator card are stopped and try to repeat the operation. If the sca service hangs up, try restarting the rtm process: 1. Stop the rtm service service rtm stop 2. Restart the sca service. Data Center Real User Monitoring SSL Monitoring Administration Guide 43 Chapter 2 ∙ Configuring SSL Monitoring on the AMD For more information, see Starting, Stopping, and Monitoring the Service [p. 42]. 3. Start the rtm service. service rtm start Do not use the pkcsmgr and scamgr tools when restarting the sca service. sca Service Fails to Stop The sca service sometimes fails to stop. The sca service does not stop properly and does not unload drivers if it is in use at the time (for example, while AMD is running). Stop all programs using the sca service and then try to stop it again. 1. Stop the rtm service service rtm stop 2. Restart the sca service. For more information, see Starting, Stopping, and Monitoring the Service [p. 42]. 3. Start the rtm service. service rtm start Do not use the pkcsmgr and scamgr tools when restarting the sca service. Slot Manager Cannot Create Shared Memory The slot manager (the pkcsslotd daemon) is sometimes unable to allocate shared memory when starting. This may happen because the slot manager was not stopped properly and it has left its shared memory region allocated. In such cases, it is not able to start again and displays a message similar to the following: ERROR pkcsslotd-log.o[6386.-1208592704]: Shared memory creation failed (0x11) ERROR pkcsslotd-log.o[6386.-1208592704]: perform ipcrm -M 0x620131DA To resolve this situation, remove the shared memory segment as indicated by the log message. In this example, run the command: ipcrm -M 0x620131DA Key Manager Fails to Initialize The key manager may fail to initialize, showing the following message: Error initializing the PKCS11 library: 0x2 Check if the pkcsslotd daemon is running (see /var/log/messages for possible pkcsslotd errors) Typically this message indicates that the manager is not running. In this case, the sca service must be restarted. Board Zeroing and Initialization Problems Zeroing is performed using the scamgr or scadiag tool. If this does not work, and as a last resort, the card can be cleaned by replacing a hardware jumper on the card as described in the card's user guide. 44 Data Center Real User Monitoring SSL Monitoring Administration Guide Chapter 2 ∙ Configuring SSL Monitoring on the AMD Using KPA to Make Keys Available to the AMD Process To make keys available to the AMD at run time, the administrator has to arrange for the keys to be decrypted, if they are stored in an encrypted form, then to be loaded into shared memory. Decryption requires a password – one per encrypted key file – and is accomplished using the kpadmin utility. The procedure is the same for all the types of encrypted keys used by the AMD, such as OpenSSL or Kerberos for SAP. The kpadmin utility is a binary file accessible through the path /usr/adlex/rtm/bin/kpadmin. It accepts no command line options and is executed as: kpadmin Alternatively, to execute kpadmin, log in as the kpadmin user. The kpadmin utility reads the keys from the disk according to the contents of the file named in server.key.list, prompts the administrator for a password to decrypt each file and then stores them in the AMD RAM memory, visible to the kpa daemon. After successfully decrypting all keys and saving them in the AMD RAM memory, kpadmin restarts the AMD process, which then obtains new key information via the kpa daemon. The decrypted keys are stored in the AMD RAM only. They are not written on the disk at any time. This increases the security of the system but means that after a reboot of the AMD, they have to be re-loaded to memory. NOTE The keylist file is shared by all analyzers requiring key storage. Therefore when executing the kpadmin command, you will be prompted for passwords for all of the listed keys, for example for OpenSSL keys. If a particular key is not stored in an encrypted form and does not require a password, it is sufficient to press [Enter] in response to the password request. Migrating from OpenSSL to Using SSL Hardware Accelerator Before You Begin If you have been using OpenSSL decoding on the AMD to perform analysis of SSL traffic, and have subsequently upgraded your AMD to support an SSL hardware accelerator card, you need to re-configure the AMD to use the new card. The following steps outline the required procedure to perform after the AMD has been upgraded. Refer to Upgrading the AMD Software in the Data Center Real User Monitoring Agentless Monitoring Device Installation Guide and to SSL Hardware Accelerator Cards [p. 18] for details of how to upgrade the AMD and install and configure a particular hardware accelerator card. The benefits of using a hardware accelerator card are, among others, increased speed and security. Note, however, that some cards have limited ability to export RSA private keys, thus making it difficult to re-migrate back to OpenSSL or to another card. 1. Upgrade your AMD to support the new hardware accelerator card. Data Center Real User Monitoring SSL Monitoring Administration Guide 45 Chapter 2 ∙ Configuring SSL Monitoring on the AMD For information about upgrading the AMD, refer to Upgrading the AMD Software in the Data Center Real User Monitoring Agentless Monitoring Device Installation Guide. 2. Install and configure a hardware accelerator card. For information about installing and configuring a hardware accelerator card, refer to SSL Hardware Accelerator Cards [p. 18]. 3. Configure AMD to use the installed accelerator card for SSL decryption. Configure the AMD to use the card, by specifying to SSL engine name in the AMD configuration. For more information, see Selecting and Configuring SSL Engine [p. 18] and SSL Hardware Accelerator Cards [p. 18]. 4. Import RSA private keys to the accelerator cards. The RSA private keys, as used by OpenSSL are stored in the directory indicated in the AMD configuration, as explained in Management of RSA Private Keys on AMD [p. 12]. Import these keys into the given hardware card, as described in SSL Hardware Accelerator Cards [p. 18] Monitoring SSL-encoded Traffic without Decryption There are alternatives on the market to installing private keys on AMDs, including dedicated SSL accelerators and SSL-terminating load balancers. If the AMD is connected to the network behind an SSL terminating device, the AMD sees plain and unencrypted traffic that can be analyzed without any additional setup. Data Center Real User Monitoring provides a subset of SSL-specific metrics for SSL traffic with no decryption required. This includes SSL Connection Setup Time, SSL Handshake Errors, and performance gauge metrics that estimate Operation Time and Server Think Time. Also, all the network performance and usage metrics are available, such as RTT, loss rate, bandwidth usage, and throughput. When SSL private keys are installed, the AMD is able to perform three additional tasks: • Report HTTP errors and application-specific errors signaled in HTML content. • Identify and count unique website users by user name. • Report performance metrics for identified, designated, SSL-encoded URLs, and application functions such as forms. Using AMD with nShield Connect HSM AMD is capable of receiving the secure cryptographic processing from The nShield Connect™ hardware security module (HSM). AMD 12.3 was tested to be used with nShield Connect HSM 1.2. AMD acts as an nShield Connect client. There are two expected configuration scenarios: • 46 Setting up an nShield Connect from scratch and connecting the AMD as a client. For more information, see Setting Up nShield Connect [p. 47]. Data Center Real User Monitoring SSL Monitoring Administration Guide Chapter 2 ∙ Configuring SSL Monitoring on the AMD • Connecting the AMD to an existing nShield Connect installation. For more information, see Connecting AMD to Existing nShield Connect [p. 47]. Setting Up nShield Connect Refer to the procedure below when setting up the nShield Connect HSM from scratch and connecting the AMD as its client. The procedure provides an outline of general steps required to connect the AMD and nShield Connect. Refer to Thales provided nShield Connect HSM documentation for detailed instructions: nShield Connect Quick Start Guide and nShield Connect and netHSM User Guide for Unix-based OS 1. 2. 3. 4. 5. Set up and configure nShield Connect. Create a Remote File System (RFS) on a machine of your choice. Connect RFS to nShield Connect. Connect AMD to nShield Connect. Create Security World on nShield Connect. Connecting AMD to Existing nShield Connect Refer to the procedure below when connecting an AMD to existing nShield Connect HSM installation. The procedure provides an outline of general steps required to connect the AMD and nShield Connect. Refer to Thales provided nShield Connect HSM documentation for detailed instructions: nShield Connect and netHSM User Guide for Unix-based OS 1. 2. 3. Configure nShield Connect to enable connection from the AMD Connect AMD to nShield Connect. Configure Remote File System (RFS) to allow AMD to receive the Security World data. Data Center Real User Monitoring SSL Monitoring Administration Guide 47 Chapter 2 ∙ Configuring SSL Monitoring on the AMD 48 Data Center Real User Monitoring SSL Monitoring Administration Guide CHAPTER 3 Server-Based SSL Monitoring Configuration Apart from the installation and configuration performed on the AMD side, you can also customize the Central Analysis Server features related to SSL monitoring, such as reporting on SSL errors. In particular, if you are interested in the integration features of CAS, you can use the alert that is based on detection of SSL setup time for a specified software service. For more information, see SSL_APPL_INOPER in the Data Center Real User Monitoring Alert System Administration Guide. Defining SSL Error Names SSL connection setup errors are aggregated into groups by the AMD according to the AMD configuration. The aggregated errors appear on reports as “SSL error 1”, “SSL error 2”, and “Other SSL errors”. Before You Begin Administrative privileges are required to access the Advanced Properties Editor. Under normal circumstances, use the Customized names configuration tool to configure the SSL error names, but if that is not possible, use the Advanced Properties Editor on the report server instead. To customize these default names, change the report server configuration in the Advanced Properties Editor in Diagnostic Console: 1. 2. Open and log on to the report server. Open the Diagnostic Console. In your web browser address field, enter: http://[CAS_ADDRESS]/diagconsole 3. 4. 5. In the Diagnostic Console, select Advanced Properties Editor. Click the right arrow to page to the SSL error names section. Type the new error names. Other SSL Errors name (SSL_ERR.3) Data Center Real User Monitoring SSL Monitoring Administration Guide 49 Chapter 3 ∙ Server-Based SSL Monitoring Configuration SSL Error level 1 name (SSL_ERR.1) SSL Error level 2 name (SSL_ERR.2) 6. Click Save to save your changes. Managing SSL Alert Codes You can define new alert codes using the RUM Console, change predefined common SSL alert codes and decide which alert codes should be taken into account when calculating the failures (transport) metric.. By default, the most commonly used alert codes are already defined and divided into three groups: SSL Alerts A 10, 20, 21, 22, 30, 40, 49, 50, 51, 60, 70, 71, 110 This group is shown on Data Center Real User Monitoring reports as SSL Error 1, named SSL session fatal error by default.. SSL Alerts B 41, 42, 43, 44, 45, 46, 48, 111, 112. 113. 114. 115 This group is shown on Data Center Real User Monitoring reports as SSL Error 2., named SSL handshake fatal error by default. SSL Alerts N All alerts not mentioned above. This group is shown on Data Center Real User Monitoring reports as Other SSL Errors, named SSL warnings by default. The following table lists all SSL alerts that AMD can recognize: Table 2. SSL alert codes 50 SSL alert name SSL alert code Description close_notify 0 Notifies the recipient that the sender will not send any more messages on this connection. unexpected_message 10 Received an inappropriate message This alert should never be observed in communication between proper implementations. This message is always fatal. bad_record_mac 20 Received a record with an incorrect MAC. This message is always fatal. decryption_failed 21 Decryption of a TLSCiphertext record is decrypted in an invalid way: either it was not an even multiple of the block length or its padding values, when checked, were not correct. This message is always fatal. record_overflow 22 Received a TLSCiphertext record which had a length more than 2^14+2048 bytes, or a record decrypted to a TLSCompressed Data Center Real User Monitoring SSL Monitoring Administration Guide Chapter 3 ∙ Server-Based SSL Monitoring Configuration Table 2. SSL alert codes (continued) SSL alert name SSL alert code Description record with more than 2^14+1024 bytes. This message is always fatal. decompression_failure 30 Received improper input, such as data that would expand to excessive length, from the decompression function. This message is always fatal. handshake_failure 40 Indicates that the sender was unable to negotiate an acceptable set of security parameters given the options available. This is a fatal error. no_certificate_RESERVED 41 Send by a client to indicate that he does not have a proper certificate to fulfill a certificate request from the server. This alert description is no more used by TLS (now a client sets an empty certificate message if he does not have a proper certificate). bad_certificate 42 There is a problem with the certificate, for example, a certificate is corrupt, or a certificate contains signatures that cannot be verified. unsupported_certificate 43 Received an unsupported certificate type. certificate_revoked 44 Received a certificate that was revoked by its signer. certificate_expired 45 Received a certificate has expired or is not currently valid. certificate_unknown 46 An unspecified issue took place while processing the certificate that made it unacceptable. illegal_parameter 47 Violated security parameters, such as a field in the handshake was out of range or inconsistent with other fields. This is always fatal. unknown_ca 48 Received a valid certificate chain or partial chain, but the certificate was not accepted because the CA certificate could not be located or could not be matched with a known, trusted CA. This message is always fatal. access_denied 49 Received a valid certificate, but when access control was applied, the sender did not Data Center Real User Monitoring SSL Monitoring Administration Guide 51 Chapter 3 ∙ Server-Based SSL Monitoring Configuration Table 2. SSL alert codes (continued) SSL alert name SSL alert code Description proceed with negotiation. This message is always fatal. 52 decode_error 50 A message could not be decoded because some field was out of the specified range or the length of the message was incorrect. This message is always fatal. decrypt_error 51 Failed handshake cryptographic operation, including being unable to correctly verify a signature, decrypt a key exchange, or validate a finished message. export_restriction 60 Detected a negotiation that was not in compliance with export restrictions; for example, attempting to transfer a 1024 bit ephemeral RSA key for the RSA_EXPORThandshake method. This message is always fatal. protocol_version 70 The protocol version the client attempted to negotiate is recognized, but not supported. For example, old protocol versions might be avoided for security reasons. This message is always fatal. insufficient_security 71 Failed negotiation specifically because the server requires ciphers more secure than those supported by the client. Returned instead of handshake_failure. This message is always fatal. internal_error 80 An internal error unrelated to the peer or the correctness of the protocol makes it impossible to continue, such as a memory allocation failure. The error is not related to protocol. This message is always fatal. user_canceled 90 Cancelled handshake for a reason that is unrelated to a protocol failure. If the user cancels an operation after the handshake is complete, just closing the connection by sending a close_notify is more appropriate. This alert should be followed by a close_notify. This message is generally a warning. no_renegotiation 100 Sent by the client in response to a hello request or sent by the server in response to a client hello after initial handshaking. Either of these would normally lead to Data Center Real User Monitoring SSL Monitoring Administration Guide Chapter 3 ∙ Server-Based SSL Monitoring Configuration Table 2. SSL alert codes (continued) SSL alert name SSL alert code Description renegotiation; when that is not appropriate, the recipient should respond with this alert; at that point, the original requester can decide whether to proceed with the connection. One case where this would be appropriate would be where a server has spawned a process to satisfy a request; the process might receive security parameters (key length, authentication, and so on) at start-up and it might be difficult to communicate changes to these parameters after that point. This message is always a warning. unsupported_extension 110 Sent by the client if the ServerHello does contain an extension that the client did not requested in his ClientHello, fatal certificate_unobtainable 111 Sent by the server to indicate that he cannot obtain a certificate from the URL the client has sent within a ClientCertificateURL extension, maybe fatal unrecognized_name 112 Sent by the server if he does not recognize a server name included in the ServerNameList extension received from the client, maybe fatal bad_certificate_status_response 113 Sent by the client if he gets an invalid certificate status response after having sent a CertificateStatusRequest extension, fatal. bad_certificate_hash_value 114 Sent by the server if a certificate hash value does not match to the corresponding value received within a ClientCertificateURL extension message, Fatal unknown_PSK_identity 115 Indicates that the server does not recognize the PSK identify sent by the client. Fatal other ? other By default, the most commonly used alert codes are already defined, including the alert source: server, client or both. Use the SSL Alerts table to to indicate the codes that should be reported as failures (transport). For more information, see Calculating Availability in the Data Center Real User Monitoring Administration Guide.. 1. Start and log on to RUM Console. Data Center Real User Monitoring SSL Monitoring Administration Guide 53 Chapter 3 ∙ Server-Based SSL Monitoring Configuration 2. 3. Select Devices and Connections ➤ Manage Devices from the top menu, to display the current device list. Select Open Configuration from the context menu for an AMD. The AMD Configuration window appears. 4. Click Edit as Draft to set your configuration to draft mode (if you are not in draft mode already). 5. 6. Navigate the Configuration tree to Global ➤ Advanced ➤ SSL Options. Select the Report server name from SSL certificate check box to enable the AMD to extract the names from SSL certificates. These names are included with the monitored data along with the SSL setup time, protocol, and cipher. 7. Right-click and select Add or Delete to add or delete the SSL alert codes in the SSL Failures table. You can also choose the source of alert code to trigger an SSL failure: server, client or both. 8. Save or publish the configuration. • Click Save to save your changes and continue with configuration. • Click Save and Publish to immediately update the devices configuration. What to Do Next If the AMD is connected to CAS, SSL errors can be given customized names on the report server side. For more information, see Defining SSL Error Names [p. 49]. 54 Data Center Real User Monitoring SSL Monitoring Administration Guide CHAPTER 4 Tuning Configuration and Troubleshooting Problems Although SSL monitoring functionality is designed to be as fault tolerant as possible, it is possible that it may not work due to configuration issues. DC RUM is equipped with diagnostic and troubleshooting features that help resolve the most common problems with SSL monitoring. Verification of Traffic Monitoring Quality Use the RUM Console to verify the traffic monitoring quality using two tightly connected solutions: Sniffing Point Diagnostics and Application Overview. We highly recommend that you perform this step at the beginning of your DC RUM deployment to verify that your hardware is working properly and that the applications you intend to monitor are detected. You can verify the test results and repeat them as needed at any time and for any network conditions. IMPORTANT • All verification is based on a traffic recording, either manual or automatic. The outcome may not be representative if the target traffic is low at the time of recording or if you are unable to capture a satisfactory number of complete sessions. • Choose automatic or manual traffic recording to capture unfiltered or filtered traffic. Enable automatic recording only during the configuration process and then disable it. It can negatively affect the performance of the AMD during normal operations, especially if you are running a 32-bit AMD in a high-traffic environment or a 64-bit AMD with the native driver. • For the most complete and reliable statistics, use the 64-bit customized driver on the AMD. • The verification of traffic monitoring quality is possible only for AMD 11.7 or later. Data Center Real User Monitoring SSL Monitoring Administration Guide 55 Chapter 4 ∙ Tuning Configuration and Troubleshooting Problems SSL Diagnostics The traffic for this report is dependent on capturing complete sessions. Incomplete sessions, missing packets, or missed handshakes cause a large number of errors and a large number of errors results in unreliable reports. Always be sure to record enough traffic for an adequate length of time to allow you to capture complete sessions. The Statistics for encrypted traffic, SSL card and keys report is only available after the traffic trace recording is finished. Partial statistics for SSL are not provided for unfinished sessions. General Statistics for Encrypted Traffic For a given time range, defined by the scope of the recorded traffic traces, you can see the recognized SSL engine (for example, OpenSSL or nCipher) and the number of keys exchanged in the traffic. The remaining sections of this diagnostic report show the detailed information about the keys, the overall summary of the captured SSL traffic, and whether there are errors. The servers section shows information for all SSL traffic captured during the traffic trace recording. All of the detected encrypted protocols are listed together with their matching keys, if they are seen in the traffic. You can see whether the key exchange was successful; the matched keys are indicated by the icon. Key and certificate matching enables you to verify that certificates were found and were valid. No matching may indicate that the certificates are out of date. SSL Server Status The Status column shows whether there are errors or whether erroneous sessions prevail. A traffic capture sometimes does not contain session beginnings, or it contains incomplete handshakes, or it has no master session; these sessions are marked as ignored, as indicated by the gray ( ) color bar. The sessions with errors are marked by a red ( ) color bar. The main causes of errors are missing packets or missing keys. Other causes of errors are listed in detail on the Detailed SSL Statistics for servers report. Detailed SSL Statistics for Servers Detailed SSL statistics for servers are accessed from the Server or Status columns. This report shows: • The percentage of the sessions without error, with errors, or ignored. • The counts of each problem, in detail, for the error or ignored sessions. • The number of decrypted sessions if there are no problems. You can filter the results. 56 • Use Sessions finished to display the data for completed sessions. • Use Sessions in progress to display the sessions that are still in progress (sessions that did not end before the traffic capture stopped; to see those session statistics). Data Center Real User Monitoring SSL Monitoring Administration Guide Chapter 4 ∙ Tuning Configuration and Troubleshooting Problems Figure 17. Example of Detailed SSL Statistics for Server, Errors Detected Due to Private Key Mismatch SSL Keys Because invalid or outdated keys are usually not removed from SSL cards, the list of keys for which an error status is indicated may be considerably long. In such cases, sort by the Status column to see keys correctly matched. Note that it may be necessary to format the SSL card storage area to refresh the key list. Troubleshooting SSL Monitoring Issues The AMD provides a wide range of diagnostic information and tools that can help you resolve issues with SSL monitoring. Before trying to find an answer to a specific question regarding SSL-related issues, you can use the built-in system diagnostics of Data Center Real User Monitoring. Inspect the AMD log files, especially rtm_perf_curr.log and check the system health reports. For more information, see Diagnostic Tools in the Data Center Real User Monitoring Administration Guide and Interpreting a System Problem in the Data Center Real User Monitoring Administration Guide. Why, even though the Agentless Monitoring Device has an SSL accelerator card, and the SSL card has been initialized, SSL is not being decrypted. The SSL card needs to operate in the Logged on mode. For security reasons, after each machine reboot, the card reverts back to the Initialized mode. To re-activate the card, log in to the card using the user login and password. How can I check whether SSL decryption is functioning properly? • To see full status information about the current SSL operation, execute the SHOW SSLDECR STATUS rcon command. For more information, see SHOW SSLDECR STATUS [p. 76]. Data Center Real User Monitoring SSL Monitoring Administration Guide 57 Chapter 4 ∙ Tuning Configuration and Troubleshooting Problems • To see historical information about SSL decryption, open the /var/log/adlex/rtm_perf.log file. Output from the SHOW SSLDECR STATUS command is written there every monitoring interval (default: 5 minutes). • When viewing CAS reports, note the number of SSL errors reported. In particular, if the error breakdown information shows a large number of “Other SSL errors”, this indicates that SSL decryption errors are a problem. What should I do if the SHOW SSLDECR STATUS command does not return engine status as OK or if the incorrect engine is used? To operate correctly, the engine and accelerator card should match. For example, when using a NITROX accelerator card, use the nitroxfips engine. If the engine status is not OK or an incorrect engine is listed as being in use, check the following: • Installation: perhaps the wrong upgrade file has been installed. For more information, see Installing the AMD Software in the Data Center Real User Monitoring Agentless Monitoring Device Installation Guide. • Engine configuration. For more information, see Selecting and Configuring SSL Engine [p. 18]. • Authentication: some cards require that you perform a login action before they can operate. Refer to the configuration instructions for the card. My SSL engine status is OK, but SSL decryption fails entirely, with no keys recognized. What is the likely cause? The AMD requires that the SSL card be in an authenticated mode. This allows the AMD to gain access to RSA private keys stored in the card. One common problem is that when an AMD is restarted, the user forgets to log in to the AMD and launch the SSL card configuration utility to authenticate user access (unlock access to RSA keys). The engine status will be given as OK, meaning that the card itself is functioning correctly and the correct system driver is loaded, but the number of keys recognized will be 0 because the AMD is not able to retrieve key information from the card. >$ SHOW SSLDECR STATUS SSL DECRYPTION STATUS: CONFIGURATION: Engine:openssl(thread) status:OK Keys: recognized=0 not recognized=18 SESSIONS: ... To avoid this problem, remember to log in to the AMD and launch the SSL card configuration utility to authenticate user access (unlock access to RSA keys) after you restart the AMD. What should I do if the SHOW SSLDECR STATUS command reports that some keys were not recognized? This can happen if RSA private keys stored in .pem files or on the accelerator card do not match the keys used by the SSL servers being monitored. Private keys used by servers can change. Investigate the problem further by executing the SHOW SSLDECR KEYS command in rcon and check which keys have an error status. For example: >$ show ssldecr keys Configuration of SSL private keys: 58 Data Center Real User Monitoring SSL Monitoring Administration Guide Chapter 4 ∙ Tuning Configuration and Troubleshooting Problems <key: s1.key, status: error (reading failed)> <key: strange.key, type: file, size: 1024, status: OK (matched)> Keys total: 2, ok: 1, failed: 1, matched: 1 If there are errors, check the following: • Is the keylist file in the correct format? If not, correct the entries. For more information, see Management of RSA Private Keys on AMD [p. 12]. • If .pem files are to be used, are there the correct .pem files in /usr/adlex/config/keys? If not, supply the missing files. • If .pem files are to be used, are there any typos in the file names in the keylist file? Correct the file names or paths as needed. • Are the .pem files encrypted? Open a key file and see whether the word ENCRYPTED appears near the top of the file. The keys stored on the disk may be in encrypted form. In this case, to make the keys available the administrator has to arrange for the keys to be decrypted before they can be read by the AMD process. This requires a password (one per key file) and is accomplished using the kpadmin utility and the KPA daemon. For more information, see Using KPA to Make Keys Available to the AMD Process [p. 45]. • If keys from the accelerator card are used, are the key IDs and names given in the proper format in keylist? For more information, see Management of RSA Private Keys on AMD [p. 12]. • If only keys from the accelerator are to be used, consider not using the keylist file at all by setting the ssl.import.all.keys.from.token configuration property to true. This ensures that all the keys on the card will be seen correctly regardless of any entries you might make in the keylist file. For more information, see Management of RSA Private Keys on AMD [p. 12]. What should I do if the SHOW SSLDECR STATUS command reports no sessions? If the number of sessions is reported as 0, check the following: • Does your AMD installation have a license for SSL decryption? If not, you need to obtain one. For more information, see Licensing Data Center Real User Monitoring Components in the Data Center Real User Monitoring Administration Guide. • Are there any SSL services defined? Remember that you need to define a service before you can monitor it. You can execute the SHOW SSLDECR SERVERS command in rcon to list all the servers for which SSL decryption is active. The analyzer for the software service must specify “SSL with decryption”. For more information, see SHOW SSLDECR SERVERS [p. 75] and Configuring User-Defined Software Services in the RUM Console Online Help. • Is there any actual traffic for the servers for which SSL decryption is active? To find out, use the tcpdump command on the AMD. For example: tcpdump 1000 "/ssl.tcp" "host 10.102.10.133 and port 443" or tcpdump 1000 "/ssl.tcp" "vlan and host 10.102.10.133 and port 443" Data Center Real User Monitoring SSL Monitoring Administration Guide 59 Chapter 4 ∙ Tuning Configuration and Troubleshooting Problems and check whether there is any traffic captured in the /ssl.tcp file. If SHOW SSLDECR STATUS reports decryption errors, what do they mean and what can I do to fix the problem? The following decryption errors can be reported: • packet lost during payload data exchange Your network may be losing packets; check mirrored ports. • corrupted payload data packet Some of the traffic is corrupted and may be incorrectly received by the AMD, potentially because of network problems. • decryption failed during payload data exchange The symmetric decryption failed. • no private key found You do not have a private key for this session or you have not listed it correctly in the keylist file. • packet lost during handshake It may mean that your network is losing packets; check mirrored ports. • corrupted handshake packet or incorrect handshake sequence Some of the traffic is corrupted and may be incorrectly received by the AMD. • decryption broken during handshake The symmetric decryption failed. • unsupported SSL version Traffic encrypted with SSL 2.0 has been encountered. These protocol versions are not supported by the AMD. • unsupported SSL feature An unsupported SSL feature has been encountered. The area the feature relates to and the count of occurrences is in brackets: unsupported cipher, compression, server key exchange. • re-used sessions with no matching master session seen before A so-called “short handshake” (a session with re-used ID) was observed, but the AMD has no record of the original session (“long handshake”) that established the security credentials. Note that some such errors are normal if you restart the AMD, which may cause some traffic not to be observed by the AMD. • incomplete SSL handshake A TCP session was observed to terminate before a complete SSL handshake was seen. The server can refuse a connection and close the TCP session for various reasons. For example, this can occur if the client requested a particular version of SSL but the server requires a different version. • terminated by alert A fatal SSL alert arrived. Technically, this is alert detection and not an error. 60 Data Center Real User Monitoring SSL Monitoring Administration Guide Chapter 4 ∙ Tuning Configuration and Troubleshooting Problems • session not seen from the beginning May be related to monitoring of sessions with missing start of session. Change your settings if required. For more information, see Monitoring of Persistent TCP Sessions in the RUM Console Online Help. I suspect that I do not have all the private keys necessary for decryption (for example, I observe sessions “with no private key found”). How can I ensure that all the servers have their matching keys? Execute the SHOW SSLDECR SERVERS command in rcon to list the decryption information for each server. For example: >$ SHOW SSLDECR SERVERS Configuration for SSL servers: <server: 10.102.10.133:443, certs seen: 1, keys used: 1, status: key(s) found> <cert: [/C=PL/ST=woj pomorskie/L=TRICIT,//OU=LAB/CN=sdfds/[email protected]], sent: 4, key: strange.key> Servers total: 1, keys required: 1, keys found: 1, keys missing: 0 For all servers, ensure that their key status is found. Also note the last summary line of the output, which states how many keys were required and how many keys were found or were missing. For more information, see SHOW SSLDECR SERVERS [p. 75]. There appear to be missing keys, but I know that I have provided all the necessary keys. How can I verify that the keys I have are correct. A monitored server may change its private key, making the key used by the AMD obsolete. To prove that a key is correct, perform a test encryption/decryption using that key: 1. Use the SSLDECR CERTS rcon command to extract the public keys from the traffic being seen by the AMD For more information, see SHOW SSLDECR CERTS [p. 70]. 2. Perform a test encryption of a short text string, such as today's date, using extracted certificates. Use OpenSSL to encrypt the string. For example: # date > txt # cat txt Wed Feb 3 16:13:01 CET 2010 # openssl rsautl -inkey /cert_192.168.207.162\:443_1.der -keyform der -certin -in txt -encrypt -out txt.enc where /cert_192.168.207.162\:443_1.der is the file saved by the SSLDECR CERTS command used earlier. 3. Decrypt the encrypted file using the private key you want to test. For example, using OpenSSL: openssl rsautl -inkey /usr/adlex/config/keys/www2.prod.ramq.gov_decr1.pem -decrypt -out txt.decr -in txt.enc If the key is correct, there should be no difference between the files txt and txt.decr. You can also use the key stored on the card to decrypt the test file. To do that, use the rsautil utility residing in /usr/adlex/rtm/bin/. (For full usage syntax of the utility, type rsautil -?) Data Center Real User Monitoring SSL Monitoring Administration Guide 61 Chapter 4 ∙ Tuning Configuration and Troubleshooting Problems In the following example, the first decryption succeeds and the second one fails. Note the last line with decrypt simple failed: [root@hsekilx030 bin]# cd /usr/adlex/rtm/bin/ [root@hsekilx030 bin]# ./rsautil -e nitroxfips -t token -k 7 -f /root/DT_00000_42494/cert_153.88.134.201\:443_1.enc L3 2010-06-02 09:33:13.270 0@ssldecr/rsaeng.cpp:320 RSA engine mode auto set to native L2 2010-06-02 09:33:13.270 0@ssldecr/rsaeng.cpp:80 Openssl version: OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008, L2 2010-06-02 09:33:13.270 0@ssldecr/rsaeng.cpp:84 Initializing OpenSSL in thread safe mode with 41 locks L3 2010-06-02 09:33:13.271 0@./ssldecr/sslnitroxfips.h:29 NitroxFips: blocking mode: 0 L1 2010-06-02 09:33:13.271 0@ssldecr/rsautil.cpp:322 OK L1 2010-06-02 09:33:13.271 0@ssldecr/rsautil.cpp:347 SSL RSA handler nitroxfips(native) created L3 2010-06-02 09:33:13.282 0@ssldecr/rsautil.cpp:394 key ok: 7 L1 2010-06-02 09:33:13.291 0@ssldecr/rsautil.cpp:67 30 (0x1e) bytes at 0xbfa71824 0000 4d 6f 6e 20 4d 61 79 20 33 31 20 31 33 3a 33 32 Mon May 31 13:32 0010 3a 30 39 20 43 45 53 54 20 32 30 31 30 0a :09 CEST 2010. [root@hsekilx030 bin]# ./rsautil -e nitroxfips -t token -k 8 -f /root/DT_00000_42494/cert_153.88.134.201\:443_1.enc L3 2010-06-02 09:33:20.125 0@ssldecr/rsaeng.cpp:320 RSA engine mode auto set to native L2 2010-06-02 09:33:20.125 0@ssldecr/rsaeng.cpp:80 Openssl version: OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008, L2 2010-06-02 09:33:20.125 0@ssldecr/rsaeng.cpp:84 Initializing OpenSSL in thread safe mode with 41 locks L3 2010-06-02 09:33:20.125 0@./ssldecr/sslnitroxfips.h:29 NitroxFips: blocking mode: 0 L1 2010-06-02 09:33:20.125 0@ssldecr/rsautil.cpp:322 OK L1 2010-06-02 09:33:20.125 0@ssldecr/rsautil.cpp:347 SSL RSA handler nitroxfips(native) created L3 2010-06-02 09:33:20.137 0@ssldecr/rsautil.cpp:394 key ok: 8 L2 2010-06-02 09:33:20.152 0@ssldecr/rsautil.cpp:147 decrypt simple failed For more information on loaded keys, execute the SHOW SSLDECR KEYS command in rcon. Guided Configuration Issues After I upgraded to Data Center Real User Monitoring 11.5, why doesn't Guided Configuration work? On upgrade, the Guided Configuration connection is, by default, disabled on the AMDs. Enable the Guided Configuration connection on an AMD, see Adding Devices in RUM Console in the Data Center Real User Monitoring Administration Guide. Note that if you add an AMD after you upgrade to DC RUM 11.5, the connection will be enabled for you on the new device. Another reason that it does not work is that the number of AMDs in your network exceeds the maximum number (15) of devices with a Guided Configuration connection enabled. Also note that automatic trace recording is, by default, disabled in all installations, so to see data on the Guided Configuration perspective, either enable automatic trace recording or record a trace manually. For more information, see Capturing Traffic Traces in the Data Center Real User Monitoring Web Application Monitoring User Guide. 62 Data Center Real User Monitoring SSL Monitoring Administration Guide Chapter 4 ∙ Tuning Configuration and Troubleshooting Problems The Guided Configuration is incorrectly displayed after a period of user inactivity. The watchdog mechanism for RUM Console Server frequently polls the server process for its activity. If no activity is detected after a certain timeout (default is 30 seconds), the RUM Console Server process is restarted. This restart causes a connection break between the active RUM Console and the RUM Console Server. The connection is automatically reestablished after RUM Console restart, but the Guided Configuration process may have to be restarted. The JVM restart will result in an entry in log file platform-system.log (located in the ..\ProgramData\Application Data\Compuware\Vantage Agentless EUE Configuration\workspace\log\kernel\) similar to this: ERROR | wrapper signal from JVM. STATUS | wrapper ERROR | wrapper STATUS | wrapper | 2010/06/29 17:13:14 | JVM appears hung: Timed out waiting for | 2010/06/29 17:13:14 | Dumping JVM state. | 2010/06/29 17:13:19 | JVM did not exit on request, terminated | 2010/06/29 17:13:24 | Launching a JVM... This usually happens on overloaded systems when another process is using 100% of the CPU, caused by low system memory and high disc swapping. In this situation, it is recommended that RAM be increased on the machine. Why can't I record a new traffic trace? You can diagnose and solve the problem in several ways: • Read the message in the recording pop-up window. It may contain information about connection problems, the AMD receiving no traffic, or the Guided Configuration waiting for the top statistics data from the device. • Check the connection status for the selected AMDs in the Device Status section on the Devices screen. You cannot record new traces if the monitoring device experiences connection problems. • Issue the ndstat command on your AMD to check whether the CBA and the CBA Agent are working. The log should contain the following lines: === CBA watchdog process: 2018 ? S 0:00 /bin/sh /usr/adlex/cba/bin/cba.run === CBA module: 1 processes(threads) 20430 ? Sl 0:08 /usr/adlex/cba/bin/cba === CBA-Agent watchdog process: 2069 ? S 0:00 /bin/sh /usr/adlex/cba-agent/bin/cba-agent.run === CBA-Agent process: 2073 ? S 0:00 /bin/bash /usr/adlex/cba-agent/bin/cba-agent • Using the ls -l /var/spool/adlex/cba command, check whether a trace file with a given name exists and, if it does, check its size. • To determine whether an interface is configured and functioning, issue the ifconfig command two or more times and observe the number of packets. If there is traffic on the interface, this number should be non-zero and increasing from observation to observation. For example: [root@vantageamd ~]# ifconfig eth0 Link encap:Ethernet HWaddr 00:0C:29:7B:32:70 UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:32692 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:16767433 (15.9 MiB) TX bytes:0 (0.0 b) Base address:0x1070 Memory:ec820000-ec840000 [root@vantageamd ~]# ifconfig eth0 Link encap:Ethernet HWaddr 00:0C:29:7B:32:70 Data Center Real User Monitoring SSL Monitoring Administration Guide 63 Chapter 4 ∙ Tuning Configuration and Troubleshooting Problems UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:48991 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:20138709 (19.2 MiB) TX bytes:0 (0.0 b) Base address:0x1070 Memory:ec820000-ec840000 • You can also use the rcon tcdump command to check whether you can intercept any packets received through the traffic on the sniffing interfaces. • Disable and then enable the Guided Configuration connection in the monitoring device settings. For more information, see Adding an AMD to Devices List in the Data Center Real User Monitoring Web Application Monitoring User Guide. • Restart the CBA Agent with the service cba-agent restart Linux command. You can also search for exceptions and error information in the available logs: • cva\log\server.log in the RUM Console installation directory • /var/log/adlex/cba-agent.log in the AMD installation directory • /var/log/adlex/cba.log in the AMD installation directory This, however, requires advanced product knowledge. Why does the Guided Configuration experience connection problems? To diagnose this problem: • Check whether the default connection port (9094) is open on the firewall; this is required for the Guided Configuration to work. You can change the default port number if it is already used by another application or service. For more information, see Connection Settings for the CBA Agent and RUM Console Server in the Data Center Real User Monitoring Administration Guide. • Using the command netstat -nat | grep LISTEN | grep -v 127.0.0.1 to list the open external ports on the AMD. In the following screen output example, port 9094 is open: [root@vantageamd ~]# netstat -nat | grep LISTEN | grep -v 127.0.0.1 tcp 0 0 0.0.0.0:9091 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:9094 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN Why can't I find a certain URL, parameter, or cookie in the traffic? (I am sure it is there). Most likely the searched element did not make it to the top statistics that are displayed on the Application Traffic Categories screen. To find a specific element, consider using a filtered traffic trace. You may also increase the number of items in each processed wizard request: 1. Open the cva\config\amd\cba-config.xml file in the RUM Console installation directory. 2. In the file, search for the <numberOfResults> element. The default setting is: <numberOfResults>100</numberOfResults> 64 Data Center Real User Monitoring SSL Monitoring Administration Guide Chapter 4 ∙ Tuning Configuration and Troubleshooting Problems 3. Change the default number to a new value. 4. Restart the CBA with the service cba restart Linux command. NOTE Increasing the number of items in each processed wizard request may negatively affect the overall system performance. Why can't I see the decrypted SSL traffic? First check whether there is any SSL (undecrypted) traffic detected. Select Devices and Connections ➤ Verify quality of monitored traffic, and select the Application Traffic Categories tab. If there are no results under SSL for a selected trace, it may indicate one of the following: • There are no SSL data in the recorded traffic trace, which may be due to insufficient trace length. For the SSL data to appear in the Guided Configuration perspective, the trace must contain the session beginning together with the SSL key handshake. • Your SSL port number is something other than 443, so change the configuration settings for Guided Configuration. For more information, see SSL Settings for the CBA Agent and RUM Console Server Connection in the Data Center Real User Monitoring Administration Guide. • Your SSL key configuration is invalid. Why is integration with Dynatrace Synthetic Monitoring not working? First, verify whether the Dynatrace connection settings are correct. For more information, see Configuring the DPN Connection in RUM Console in the Data Center Real User Monitoring Administration Guide. Remember that the only Dynatrace tests that are imported to DC RUM are active backbone tests. If your test definitions are of a different type, they will not be downloaded to DC RUM. Also note that to integrate Dynatrace and DC RUM performance measurements, you must have traffic traces with data corresponding to Dynatrace test definitions. If, after importing Dynatrace test definitions to DC RUM, no matching URLs are found, it may mean that the trace is too short and does not contain the matching data. The RUM Console uses too much memory. How can I solve the problem? You can control the amount of used memory in several ways: • Disable the automatic trace recording. For more information, see Capturing Traffic Traces in the Data Center Real User Monitoring Web Application Monitoring User Guide. • Disable the Guided Configuration connection on some of your AMDs. For more information, see Adding an AMD to Devices List in the Data Center Real User Monitoring Web Application Monitoring User Guide. • Reset the automatically recorded trace. Use this option carefully, because resetting the trace will cause all of the previously gathered statistics to be lost. For more information, see Capturing Traffic Traces in the Data Center Real User Monitoring Web Application Monitoring User Guide. Data Center Real User Monitoring SSL Monitoring Administration Guide 65 Chapter 4 ∙ Tuning Configuration and Troubleshooting Problems • Restart the Dynatrace RUM Console service using the Windows services.msc utility. 1. Select Start ➤ Run. 2. Type the services.msc utility name in the Open box. 3. Click OK. 4. On the list of the running services, right-click the Dynatrace RUM Console service and select Restart from the context menu. Why only one out of, for example two, web monitoring enabled AMDs are collecting the monitoring data? This issue appears when Linux is not configured properly. Specifically, the hostname configuration. The hostname of the machine must be mapped to either the localhost or to the machine's public IP address. To map the hostname perform the following steps: 1. Edit /etc/hosts file and make sure it looks similarly to this: #/etc/hosts # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 localhost.localdomain localhost xxx.xxx.xxx.xxx servername.hummy.org servername someothernames 2. Edit /etc/sysconfig/network and change the value there: NETWORKING=yes HOSTNAME=servername NISDOMAIN=hummy.org GATEWAY=192.168.1.1 3. Restart the network: /etc/init.d/network restart 4. For these changes to take effect, either restart the machine or use the following command: echo servername >/proc/sys/kernel/hostname echo hummy.org >/proc/sys/kernel/domainname This command automatically loads the new hostname into memory. 66 Data Center Real User Monitoring SSL Monitoring Administration Guide APPENDIX A SSL-Related rcon Commands You can use the AMD console rcon to check on the operation of the decryption mechanism. SSLDECR CERTS Command SSLDECR CERTS writes seen server public key certificates to files in “.der” format in a specified directory. The certificates written are those seen since the last AMD restart, either for a specified server or for all servers. SSLDECR CERTS IPaddress:port “path” Where: IPaddressAn optional parameter giving the IP address of the server for which the certificates should be written. If no server is specified, the certificates written are for all servers seen in traffic. port An optional parameter giving the port number of the server for which the certificates should be written. This parameter can be supplied only if the IP address of the server is also specified. “path” The absolute path of the directory in which the files should be created. Note that the quotation marks around the path are necessary. Data Center Real User Monitoring SSL Monitoring Administration Guide 67 Appendix A ∙ SSL-Related rcon Commands NOTE Because of folder access permissions, those rcon commands that produce output files must use designated folders only. When specifying an output file path as a parameter to an rcon command, provide paths pointing to /var/spool/adlex/rtm or /tmp. It is recommended that, especially for larger output files, the former (spool folder) is used, where sufficient space should be available. For example: tcpdump 10000 "/var/spool/adlex/rtm/tcpdump.txt" ssldecr certs "/usr/tmp/certs.txt" Note that this limitation applies to files created by rcon commands internally, and not to redirected screen output. Redirected output can be stored in any suitable folder, subject to your current user permissions, though it is also recommended that the spool or tmp folders be used for this purpose. Output The command lists the certificate files it has created. Example >$ ssldecr certs "/certs" Wrote 713 bytes to /certs/cert_50.0.0.9:443_1.der Wrote 713 bytes to /certs/cert_50.0.0.8:443_1.der Wrote 713 bytes to /certs/cert_50.0.0.11:443_1.der Wrote 713 bytes to /certs/cert_50.0.0.10:443_1.der Wrote 713 bytes to /certs/cert_50.0.0.13:443_1.der Wrote 713 bytes to /certs/cert_50.0.0.12:443_1.der Wrote 713 bytes to /certs/cert_50.0.0.1:443_1.der Wrote 713 bytes to /certs/cert_50.0.0.0:443_1.der Wrote 713 bytes to /certs/cert_50.0.0.15:443_1.der Wrote 713 bytes to /certs/cert_50.0.0.14:443_1.der Wrote 713 bytes to /certs/cert_50.0.0.3:443_1.der Wrote 713 bytes to /certs/cert_50.0.0.2:443_1.der Wrote 713 bytes to /certs/cert_50.0.0.17:443_1.der Wrote 713 bytes to /certs/cert_50.0.0.16:443_1.der Wrote 713 bytes to /certs/cert_50.0.0.5:443_1.der Wrote 713 bytes to /certs/cert_50.0.0.4:443_1.der Wrote 713 bytes to /certs/cert_50.0.0.19:443_1.der Wrote 713 bytes to /certs/cert_50.0.0.18:443_1.der Wrote 713 bytes to /certs/cert_50.0.0.7:443_1.der Wrote 713 bytes to /certs/cert_50.0.0.6:443_1.der 20 certificates dumped SSLDECR HELP Command SSLDECR HELP displays help information for the SSLDECR family of commands. SSLDECR HELP Output The command outputs help information for the SSLDECR family of commands. 68 Data Center Real User Monitoring SSL Monitoring Administration Guide Appendix A ∙ SSL-Related rcon Commands Example >$ SSLDECR HELP SSLDECR HELP - display this help message SSLDECR CERTS [IP[:port]] "path" - write server certificates to files in directory "path" SSLDECR NAMES enable|disable - enable/disable logging of Distinguished Name content SSLDECR LOGLEVEL ALL - log SSL diagnostic information for all sessions SSLDECR LOGLEVEL DISABLE - turn off logging of SSL diagnostic information SSLDECR LOGLEVEL ERROR - log SSL diagnostic information for sessions with errors SSLDECR LOGLEVEL STATUS - display current level of logging SSL diagnostic information SSLDECR LOGLEVEL Command SSLDECR LOGLEVEL sets diagnostic tracing level to log SSL session history in /var/log/adlex/rtm.log. SSLDECR LOGLEVEL level Where level can be one of the following: DISABLE Turn off logging of SSL diagnostic information. No SSL diagnostic information is written to the log file. ERROR Log SSL diagnostic information only for sessions with errors. ALL Log SSL diagnostic information for all sessions. EVENTS Display detailed information about every event that will be logged. NOTE Since this option generates large log files, it is recommended that it should not be enabled in production environment. Output The command outputs the new level of diagnostic logging of SSL information. Example >$ SSLDECR LOGLEVEL STATUS SSL log turned on for all sessions >$ SSLDECR LOGLEVEL DISABLE SSL log turned off >$ SSLDECR LOGLEVEL STATUS SSL log turned off >$ SSLDECR LOGLEVEL ERROR SSL log turned on for sessions with errors >$ SSLDECR LOGLEVEL STATUS SSL log turned on for sessions with errors >$ SSLDECR LOGLEVEL ALL SSL log turned on for all sessions Data Center Real User Monitoring SSL Monitoring Administration Guide 69 Appendix A ∙ SSL-Related rcon Commands >$ SSLDECR LOGLEVEL EVENTS SSL log turned on for all sessions SSLDECR NAMES Command SSLDECR NAMES enables or disables logging of Distinguished Name information from observed client and server certificates. SSLDECR NAMES option Where option can be: ENABLE to enable logging of Distinguished Name information. DISABLE to disable logging of Distinguished Name information. NOTE if there is a very large number of clients, disabling logging of DN information will improve AMD performance. Output The message output by the command confirms that logging of Distinguished Names has been enabled or disabled, as appropriate. Example >$ SSLDECR NAMES DISABLE cert DN cache disabled >$ SSLDECR NAMES ENABLE cert DN cache enabled SHOW SSLDECR CERTS Command SHOW SSLDECR CERTS lists full text of all observed server certificates. The information displayed applies to the period of time since the last reset of the device. SHOW SSLDECR CERTS Output The command outputs the full text of each seen certificate. Example Certificates: Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: md5WithRSAEncryption Issuer: CN=OpenSSL Test Certificate Validity Not Before: Aug 29 15:33:18 2006 GMT Not After : Aug 29 15:33:18 2007 GMT 70 Data Center Real User Monitoring SSL Monitoring Administration Guide Appendix A ∙ SSL-Related rcon Commands Subject: CN=OpenSSL Test Certificate Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:cc:c7:83:e3:6e:62:38:d1:f1:63:5a:fe:54:29: 96:58:5a:e2:59:3e:9c:12:7e:bf:ff:4f:dc:2e:3d: d9:83:37:0a:79:da:d8:a0:aa:f8:83:d0:98:a9:b6: 1b:f0:f1:91:8c:9d:70:a1:bf:8b:93:98:ee:d4:ef: 09:b6:d4:5f:19:ee:e6:40:aa:b0:42:a2:5b:03:56: 1d:f2:3e:59:85:5c:7e:87:fa:21:5f:43:62:cf:3d: 32:fc:99:1a:49:33:b9:8b:f7:9d:e3:da:aa:f6:91: 91:32:c8:70:3a:3f:e4:44:88:4b:82:92:7f:1d:2c: 6b:6e:eb:a3:cc:20:7f:09:a7 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: A2:57:FD:29:37:C9:1C:72:45:21:81:72:AE:71:31:CB:9E:BA:F8:CC X509v3 Authority Key Identifier: keyid:A2:57:FD:29:37:C9:1C:72:45:21:81:72:AE:71:31:CB:9E:BA:F8:CC DirName:/CN=OpenSSL Test Certificate serial:00 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: md5WithRSAEncryption 74:8b:17:f9:fc:2c:16:a2:a7:b5:9d:2d:5d:1d:c4:f9:23:0c: f3:01:93:fe:98:ae:a8:75:d5:ff:15:72:14:98:7d:bc:cf:32: 38:8e:fe:38:fc:f6:77:fe:d5:c4:df:78:fd:8d:8e:c2:e4:11: 4f:2f:40:cb:32:c9:c7:95:73:b9:0c:49:a4:c8:59:a7:40:77: 5d:94:86:17:9e:2c:76:b7:fd:2f:55:26:ba:f3:b6:26:1f:f6: a2:83:41:59:59:59:f1:07:45:02:b0:a4:fb:cf:4b:12:8a:a3: e6:ca:e4:fd:3a:3a:55:0c:d8:cc:e8:9a:22:03:64:7a:0a:9d: 2e:0b SHOW SSLDECR CIPHERS Command SHOW SSLDECR CIPHERS displays information on the supported and unsupported cipher suites and statistics on cipher suite usage. The statistical information displayed applies to the period of time since the last reset of the device. SHOW SSLDECR CIPHERS Output The output lists cipher suites one per line. The list entitled SSL cipher-suites status lists all cipher suites known to the AMD and the list entitled ignored cipher-suites gives cipher suites that have been observed but have not been identified by the AMD. In the list of known cipher suites, the following designations are used: + Denotes supported suites. - Denotes unsupported suites. * Denotes conditionally supported suites, that is suites supported for key size not bigger than a defined upper limit. id The cipher suite identification represented in hexadecimal code. kex The key exchange algorithm. sig The authentication algorithm. enc The private key encryption algorithm. dig The digest algorithm. Data Center Real User Monitoring SSL Monitoring Administration Guide 71 Appendix A ∙ SSL-Related rcon Commands ref The number of times the cipher was observed. In the ignored cipher-suites list, the entry before the colon gives the cipher suite identification represented as a hexadecimal value (this corresponds to the id column in the first list), and the entry after the colon is the number of times the cipher was observed (this corresponds to the ref column in the first list). Example >$ SHOW SSLDECR ciphers SSL cipher-suites status: - UNKNOWN id=00 kex=UNKNOWN sig=UNKNOWN enc=MD5 + NULL-MD5 + NULL-SHA * EXP-RC4-MD5 + RC4-MD5 + RC4-SHA - EXP-RC2-CBC-MD5 - IDEA-CBC-SHA * EXP-DES-CBC-SHA + DES-CBC-SHA + DES-CBC3-SHA - EXP-DH-DSS-DES-CBC-SHA - DH-DSS-DES-CBC-SHA - DH-DSS-DES-CBC3-SHA - EXP-DH-RSA-DES-CBC-SHA - DH-RSA-DES-CBC-SHA - DH-RSA-DES-CBC3-SHA - EXP-EDH-DSS-DES-CBC-SHA - EDH-DSS-DES-CBC-SHA - EDH-DSS-DES-CBC3-SHA - EXP-EDH-RSA-DES-CBC-SHA - EDH-RSA-DES-CBC-SHA - EDH-RSA-DES-CBC3-SHA - EXP-ADH-RC4-MD5 - ADH-RC4-MD5 - EXP-ADH-DES-CBC-SHA - ADH-DES-CBC-SHA - ADH-DES-CBC3-SHA * EXP1024-RC4-MD5 - EXP1024-RC2-CBC-MD5 * EXP1024-DES-CBC-SHA - EXP1024-DHE-DSS-DES-CBC-SHA * EXP1024-RC4-SHA - EXP1024-DHE-DSS-RC4-SHA - DHE-DSS-RC4-SHA + AES128-SHA - DH-DSS-AES128-SHA - DH-RSA-AES128-SHA - DHE-DSS-AES128-SHA - DHE-RSA-AES128-SHA - ADH-AES128-SHA + AES256-SHA - DH-DSS-AES256-SHA - DH-RSA-AES256-SHA - DHE-DSS-AES256-SHA - DHE-RSA-AES256-SHA - ADH-AES256-SHA ignored cipher-suites: 0000222B:123 00000211:2 id=01 id=02 id=03 id=04 id=05 id=06 id=07 id=08 id=09 id=0A id=0B id=0C id=0D id=0E id=0F id=10 id=11 id=12 id=13 id=14 id=15 id=16 id=17 id=18 id=19 id=1A id=1B id=60 id=61 id=62 id=63 id=64 id=65 id=66 id=2F id=30 id=31 id=32 id=33 id=34 id=35 id=36 id=37 id=38 id=39 id=3A dig=NONE ref=0 kex=RSA sig=RSA enc=UNKNOWN dig=MD5 ref=0 kex=RSA sig=RSA enc=UNKNOWN dig=SHA ref=0 kex=RSA_EXP sig=RSA enc=RC4 dig=MD5 ref=0 kex=RSA sig=RSA enc=RC4 dig=MD5 ref=0 kex=RSA sig=RSA enc=RC4 dig=SHA ref=14218 kex=RSA_EXP sig=RSA enc=RC2 dig=SHA ref=0 kex=RSA sig=RSA enc=IDEA dig=SHA ref=0 kex=RSA_EXP sig=RSA enc=DES dig=SHA ref=0 kex=RSA sig=RSA enc=DES dig=SHA ref=0 kex=RSA sig=RSA enc=DES3 dig=SHA ref=7474 kex=DH sig=DSS enc=DES dig=SHA ref=0 kex=DH sig=DSS enc=DES dig=SHA ref=0 kex=DH sig=DSS enc=DES3 dig=SHA ref=0 kex=DH sig=RSA enc=DES dig=SHA ref=0 kex=DH sig=RSA enc=DES dig=SHA ref=0 kex=DH sig=RSA enc=DES3 dig=SHA ref=0 kex=DH sig=DSS enc=DES dig=SHA ref=0 kex=DH sig=DSS enc=DES dig=SHA ref=0 kex=DH sig=DSS enc=DES3 dig=SHA ref=0 kex=DH sig=RSA enc=DES dig=SHA ref=0 kex=DH sig=RSA enc=DES dig=SHA ref=0 kex=DH sig=RSA enc=DES3 dig=SHA ref=0 kex=DH sig=NONE enc=RC4 dig=MD5 ref=0 kex=DH sig=NONE enc=RC4 dig=MD5 ref=0 kex=DH sig=NONE enc=DES dig=MD5 ref=0 kex=DH sig=NONE enc=DES dig=MD5 ref=0 kex=DH sig=NONE enc=DES3 dig=MD5 ref=0 kex=RSA_EXP sig=RSA enc=RC4 dig=MD5 ref=0 kex=RSA_EXP sig=RSA enc=RC2 dig=MD5 ref=0 kex=RSA_EXP sig=RSA enc=DES dig=SHA ref=0 kex=DH sig=DSS enc=DES dig=SHA ref=0 kex=RSA_EXP sig=RSA enc=RC4 dig=SHA ref=0 kex=DH sig=DSS enc=RC2 dig=SHA ref=0 kex=DH sig=DSS enc=RC4 dig=SHA ref=0 kex=RSA sig=RSA enc=AES-128-CBC dig=SHA ref=0 kex=DH sig=DSS enc=AES-128-CBC dig=MD5 ref=0 kex=DH sig=RSA enc=AES-128-CBC dig=MD5 ref=0 kex=DH sig=DSS enc=AES-128-CBC dig=MD5 ref=0 kex=DH sig=RSA enc=AES-128-CBC dig=MD5 ref=0 kex=DH sig=RSA enc=AES-128-CBC dig=MD5 ref=0 kex=RSA sig=RSA enc=AES-256-CBC dig=SHA ref=0 kex=DH sig=DSS enc=AES-256-CBC dig=MD5 ref=0 kex=DH sig=RSA enc=AES-256-CBC dig=MD5 ref=0 kex=DH sig=DSS enc=AES-256-CBC dig=MD5 ref=0 kex=DH sig=RSA enc=AES-256-CBC dig=MD5 ref=0 kex=DH sig=RSA enc=AES-256-CBC dig=MD5 ref=0 SHOW SSLDECR HELP Command SHOW SSLDECR HELP displays help information for the SHOW SSLDECR family of commands. 72 Data Center Real User Monitoring SSL Monitoring Administration Guide Appendix A ∙ SSL-Related rcon Commands SHOW SSLDECR HELP Output The command outputs help information for the SHOW SSLDECR family of commands. Example >$ SHOW SSLDECR HELP SHOW SSLDECR HELP - display this help message SHOW SSLDECR CERTS - list full text of all observed certificates SHOW SSLDECR CIPHERS - displays information on the supported and unsupported cipher suites SHOW SSLDECR NAMES - display Distinguished Name content for all observed client and server certificates SHOW SSLDECR KEYS - display summary information for all private keys defined in configuration SHOW SSLDECR LOGLEVEL - display current level of logging SSL diagnostic information SHOW SSLDECR SERVERS - display summary information for all SSL servers defined in configuration SHOW SSLDECR STATUS - show general information about SSL decryption status SHOW SSLDECR KEYS Command SHOW SSLDECR KEYS displays summary information for all private keys listed in the AMD configuration. The statistical information displayed applies to the period of time since the last reset of the device. SHOW SSLDECR KEYS Output The output consists of one line for each key, with the key name, type, size, and status. For keys that were declared in the configuration (are present on the list of defined keys), but were not successfully read, the type and size are not available. The section ends with a summary line providing information about the total number of keys, the total number of valid keys read successfully, the total number of keys that failed to read, and the number of valid keys matched to certificates. The status value corresponds to one of the cases: • error (syntax error): error when reading key information from the list of configured keys. • error (unsupported type): key incompatible with decrypting engine. • error (reading failed): Reading of a key failed for some reason, such as key file not present or corrupt. • OK (read): The key has been read successfully. • OK (matched): The key has been read and matched to a certificate. Example Configuration for SSL private keys: <key: 0xc, status: type not supported> <key: s1.key, type: file, size: 1024, status: OK (read)> <key: k2key.pem, type: file, size: 2048, status: OK (matched)> Data Center Real User Monitoring SSL Monitoring Administration Guide 73 Appendix A ∙ SSL-Related rcon Commands <key: TT.key, type: file, size: 1024, status: OK (read)> <key: KK.key, status: read failed> <key: openssl.pem, type: file, size: 1024, status: OK (matched)> <key: tt22052.key, status: parse error> Keys total: 7, ok: 4, failed: 3, matched: 2 SHOW SSLDECR LOGLEVEL Command SHOW SSLDECR LOGLEVEL displays current level of logging SSL diagnostic information. This command is equivalent to SSLDECR LOGLEVEL STATUS. SHOW SSLDECR LOGLEVEL Output The following levels of logging can be returned by the command: • SSL log turned off • SSL log turned on for sessions with errors • SSL log turned on for all sessions Example >$ SHOW SSLDECR LOGLEVEL SSL log turned on for all sessions >$ SSLDECR LOGLEVEL DISABLE SSL log turned off >$ SHOW SSLDECR LOGLEVEL SSL log turned off >$ SSLDECR LOGLEVEL ERROR SSL log turned on for sessions with errors >$ SHOW SSLDECR LOGLEVEL SSL log turned on for sessions with errors >$ SSLDECR LOGLEVEL ALL SSL log turned on for all sessions >$ SHOW SSLDECR LOGLEVEL SSL log turned on for all sessions SHOW SSLDECR NAMES Command SHOW SSLDECR NAMES displays Distinguished Name content for all observed client and server certificates. SHOW SSLDECR NAMES Output The command outputs one line per certificate and for each certificate it shows Distinguished Name contents and the number of times the certificate was seen. 74 Data Center Real User Monitoring SSL Monitoring Administration Guide Appendix A ∙ SSL-Related rcon Commands Example >$ SHOW SSLDECR NAMES c:31900536 dn:=GB/S=Berkshire/L=Newbury/O=My Company Ltd> SHOW SSLDECR SERVERS Command SHOW SSLDECR SERVERS displays summary information for all SSL servers defined in configuration. The statistical information displayed applies to the period of time since the last reset of the device. SHOW SSLDECR SERVERS Output For each server, the IP and PORT is displayed with their corresponding certificates. Each server line is followed by a number of certificate lines, each of which corresponds to a certificate sent from this server, if any. A server line provides information about the server IP address and port number, the number of certificates seen for this server, the number of keys used for this server, and analyzer status for this server. The number of certificates for a server can be: • greater than zero and equal to the number of keys, meaning that all needed keys for this server are available (status is positive). • zero, with the number of keys also zero, meaning that no keys were needed for the given server (status is positive). • greater than zero and greater than the number of keys, meaning that a key or keys were missing for this server (status is negative). Each certificate line provides information about the certificate (the Subject field from certificate) and either a key identifier of a matching key or a question mark, if the certificate is not matched to a known key. The server status is concluded with a summary line giving the total number of servers, the total number of keys needed for those servers, the total number of keys found, and the total number for keys missing for those servers. Example <server: 10.10.10.10(443), certs seen: 1, keys used: 1, status: key(s) found> <cert: [/C=US/ST=Michigan/L=Detroit/O=Compuware Corporation/OU=Technology/OU=Hosted by Compuware Corporation/OU=PlatinumSSL SGC], sent: 5275, in progress: 12 key: jira> <cert: [/C=US2/ST=Michigan2/L=Detroit2/O=Compuware Corporation2/OU=Technology2/OU=Hosted by Compuware Corporation2/OU=PlatinumSSL SGC2], sent: 532135, in progress: 8 key: jira2> <server: 20.20.20.20(443), certs seen: 1, keys used: 1, status: key(s) found> <cert: [/C=US2/ST=Michigan2/L=Detroit2/O=Compuware Corporation2/OU=Technology2/OU=Hosted by Compuware Corporation2/OU=PlatinumSSL SGC2], sent: 532135, in progress: 8 key: jira2> <cert: [/C=US3/ST=Michigan3/L=Detroit3/O=Compuware Corporation3/OU=Technology3/OU=Hosted by Compuware Corporation3/OU=PlatinumSSL SGC3], sent: 2275, in progress: 12 key: jira3> Data Center Real User Monitoring SSL Monitoring Administration Guide 75 Appendix A ∙ SSL-Related rcon Commands SHOW SSLDECR STATUS Command SHOW SSLDECR STATUS gives the status information for the decryption engine and lists the statistics of the observed sessions. Internal decryptor diagnostics are also provided. SHOW SSLDECR STATUS SHOW SSLDECR STATUS IP address:port number Output All of the information and statistics given by the command relate to the period of time since the last restart of the device. NOTE Optionally indicating the IP address and the port number of a server limits the output to the specified server. The first section of the output gives status information for the decryption engine. Note the SSL engine mode (native, auto or thread) included in parentheses and statistics of how many private keys have been matched or failed to match. The second section gives session statistics. Note that there are no statistics for “partially decrypted session in progress” that is, for sessions with some errors but for which decryption is still continuing. This is because as soon as there is an error, the decryption process is terminated and the session is counted as “finished”, even though the actual transfer of data may still continue and byte and packet statistics are still counted. Note also the term “reused sessions”. This applies to sessions for which the server agrees to continue using an already established session key from earlier on. This is referred to as a short handshake, as compared to a long handshake when the entire process of establishing an SSL connection is started again. Example >$ SHOW SSLDECR STATUS SSL DECRYPTION STATUS: CONFIGURATION: Engine:openssl(thread) status:OK Keys: recognized=3 not recognized=0 SESSIONS: Total number of sessions=67741 (in progress=29952 finished=37789) SSL protocol version breakdown per number of sessions: supported versions= ssl3.0=21755 tls1.0=0 unsupported versions= ssl2.0=0 tls1.1=0 tls1.2=0 other versions=0 no version info=15743 New sessions=2336 Reused sessions=19419 Finished sessions decrypted with no errors=0 (0% of all finished sessions) Sessions in progress decrypting with no errors=2774 (9% of all sessions in progress) Finished sessions decrypted partially=187 (0% of all finished sessions) with a packet lost during payload data exchange=187 with a corrupted payload data packet=0 with decryption failed during payload data exchange=0 Finished sessions not decrypted=37602 (99% of all finished sessions) with no private key found=0 (new sessions=0 reused sessions=0) with a packet lost during handshake=364 (new sessions=364 reused sessions=0) with a corrupted handshake packet or incorrect handshake sequence=79 (new sessions=79 reused sessions=0) 76 Data Center Real User Monitoring SSL Monitoring Administration Guide Appendix A ∙ SSL-Related rcon Commands with decryption broken during handshake=15 (new sessions=15 reused sessions=0) with unsupported SSL version=0 (ssl2.0=0 tls1.1=0 tls1.2=0 other versions=0) with unsupported SSL feature=0 (unsupported cipher=0 unsupported compression=0 server key exchange=0) reused sessions with no matching master sessions seen before=15740 with incomplete SSL handshake=15511 (new sessions=15723 reused sessions=0) terminated by alert (during handshake=212 during payload data exchange=0) session not seen from the beginning=5681 with other errors=0 RSA DECRYPTOR INTERNAL DIAGNOSTICS: init/init errors (I=)2095/0 finalize/finalize errors (f=)1864/0 cancel/cancel errors =)0/0 parallel curr/avg/max (p=)231/115/231 sessions on hold total/curr/avg/max(h=)0/0/0/0 PMS CACHE INTERNAL DIAGNOSTICS: entries added (a=)10056 (initialized=1823 uninitialized=8209 error=24 ) entries changed =)155 (toInitialized=41 toUninitialized=0 toError=114 ) entries deleted (d=)0 total entries in cache (n=)10056 Optionally, the * parameter can be used in the command to display statistics grouped per server. >$ SHOW SSLDECR STATUS * SSL DECRYPTION STATUS for server 10.10.10.10 port 443: SESSIONS: Total number of sessions=51114 (inProgress=1 Finished=51113) SSL protocol version breakdown per number of sessions: supported versions: ssl3.0=620 tls1.0=28114 tls1.1=0 tls1.2=0 unsupported versions: ssl2.0=0 other versions=0 no version info=22372 Long handshakes=5275 Short handshakes=12288 SessionTkt reused=0 SessionId reused=22255 Finished sessions decrypted with no errors=13767 (26% of all finished sessions) Sessions in progress decrypting with no errors=0 (0% of all sessions in progress) Finished sessions decrypted partially=1292 (2% of all finished sessions) with a packet lost during payload data exchange=1292 with a corrupted payload data packet=0 with decryption failed during payload data exchange=0 terminated by alert during payload data exchange=0 Finished sessions not decrypted=36054 (70% of all finished sessions) with no private key found=0 (new sessions=0 reused sessions=0) with a packet lost during handshake=496 (new sessions=436 reused sessions=60) with a corrupted handshake packet or incorrect handshake sequence=0 (new sessions=0 reused sessions=0) with decryption broken during handshake=0 (new sessions=0 reused sessions=0) with unsupported SSL version=0 (ssl2.0=0 otherVersions=0) with unsupported SSL feature=11171 (unsupported cipher=11171 compression=0 server key exchange=0) reused sessions with no matching master session seen before=2178 with incomplete SSL handshake=97 (new sessions=97 reused sessions=0) terminated by alert during handshake=79 reuse errors when PMS identified with session id=2238, with session ticket=0 session not seen from the beginning=22033 with other errors=0 SSL cipher-suites status: + RC4-MD5 id=04 kex=RSA sig=RSA enc=RC4 + RC4-SHA id=05 kex=RSA sig=RSA enc=RC4 - DH-RSA-DES-CBC-SHA id=0F kex=DH sig=RSA enc=DES dig=MD5 ref=14590 dig=SHA ref=119 dig=SHA ref=4234 SSL DECRYPTION STATUS for server 50.50.50.50 port 443: SESSIONS: Total number of sessions=51114 (inProgress=1 Finished=51113) Data Center Real User Monitoring SSL Monitoring Administration Guide 77 Appendix A ∙ SSL-Related rcon Commands SSL protocol version breakdown per number of sessions: supported versions: ssl3.0=620 tls1.0=28114 tls1.1=0 tls1.2=0 unsupported versions: ssl2.0=0 other versions=0 no version info=22372 Long handshakes=5275 Short handshakes=12288 SessionTkt reused=0 SessionId reused=22255 Finished sessions decrypted with no errors=13767 (26% of all finished sessions) Sessions in progress decrypting with no errors=0 (0% of all sessions in progress) Finished sessions decrypted partially=1292 (2% of all finished sessions) with a packet lost during payload data exchange=1292 with a corrupted payload data packet=0 with decryption failed during payload data exchange=0 terminated by alert during payload data exchange=0 Finished sessions not decrypted=36054 (70% of all finished sessions) with no private key found=0 (new sessions=0 reused sessions=0) with a packet lost during handshake=496 (new sessions=436 reused sessions=60) with a corrupted handshake packet or incorrect handshake sequence=0 (new sessions=0 reused sessions=0) with decryption broken during handshake=0 (new sessions=0 reused sessions=0) with unsupported SSL version=0 (ssl2.0=0 otherVersions=0) with unsupported SSL feature=11171 (unsupported cipher=11171 compression=0 server key exchange=0) reused sessions with no matching master session seen before=2178 with incomplete SSL handshake=97 (new sessions=97 reused sessions=0) terminated by alert during handshake=79 reuse errors when PMS identified with session id=2238, with session ticket=0 session not seen from the beginning=22033 with other errors=0 SSL cipher-suites status: + RC4-MD5 id=04 kex=RSA sig=RSA enc=RC4 dig=MD5 ref=5345 + AES128-SHA id=2F kex=RSA sig=RSA enc=AES-128-CBC dig=SHA ref=2854 - DHE-RSA-AES128-SHA 78 id=33 kex=DH sig=RSA enc=AES-128-CBC dig=MD5 ref=11171 Data Center Real User Monitoring SSL Monitoring Administration Guide APPENDIX B Extracting Web Server Private SSL Keys There are three phases for extracting private keys: 1. Extract the key from the server configuration. 2. Encode the key into PEM format. 3. Decrypt the key's password. Extracting Web Server Private RSA Keys for Apache/OpenSSL Server Applicability This procedure has been tested on: • Apache versions apache-1.3.12-25 and above • openssl-0.9.5a-14 on Red Hat Enterprise Linux 6.2 Extracting the Key from the Server Configuration The Apache Web server already stores its server key in PEM-encoded format. The key is placed in a directory specified in the server configuration file (typically /etc/httpd/conf/httpd.conf) and is defined by the directives SSLCertificateFile or (if the server key is separated from its certificate) SSLCertificateKeyFile. The default location of the file is /etc/httpd/conf/ssl.key. Recoding the Key into PEM Format This is not required, because the key is already in PEM format. Decrypting the Key's Password You can decrypt the key with the openssl command: openssl rsa -in encrypted_key_filename -out decrypted_key_filename You are prompted for a password. Data Center Real User Monitoring SSL Monitoring Administration Guide 79 Appendix B ∙ Extracting Web Server Private SSL Keys Extracting Web Server Private RSA Keys for Microsoft IIS 4.0 Server Applicability This procedure has been tested on IIS 4.0/WinNT4.0 SP6a. Extracting the Key from the Server Configuration To extract the key, you must create a backup copy of your server certificate and the private key as follows: 1. Open Key Manager (from IIS management console or menu). 2. Select the key to export (under WWW) and select Key ➤ Export from the menu. 3. Choose a file (for example, temp.key) and click Finish. Now you have one file with the combined server key file and server certificate and you can extract the key. 4. Open the backup file (in this example, temp.key) in an editor in hexadecimal mode. 5. Find the string “private-key” in the file. 6. Scan back until you find the hex values “30 82”. 7. Write from that position to a new file (for example, tmp.bin). Figure 18. Extracting the Key from the Server Configuration For the above example, issue the following command: dd if=temp.key of=temp.bin bs=1 skip=29 This is because you have to write the new file beginning with the 29th (0x1d) octet. Recoding the Key into PEM Format and Decrypting the Password IIS stores its keys in NET format. To recode it in PEM format, use the following openssl command on the AMD: openssl rsa -inform NET -in tmp.bin -out key.pem You are prompted for a password. If you get an error after entering the password, try adding the -sgckey option to the openssl command. 80 Data Center Real User Monitoring SSL Monitoring Administration Guide Appendix B ∙ Extracting Web Server Private SSL Keys Extracting Web Server Private RSA Keys for Microsoft IIS 5.0 Server Applicability This procedure has been tested on IIS 5.0/Win2kPro SP2. Extracting the key from the server configuration In the 4.0 release of IIS, Key Manager was used to back up server certificates. In the IIS 5.0, Web Server Certificate Wizard replaces Key Manager. Because IIS works closely with Windows, you can use the Certificate Manager tool to export and back up your server certificates. This procedure requires Certificate Manager. If you do not have Certificate Manager installed in the MMC, you will need to install it (see To install Certificate Manager: [p. 81] below) and then go to To back up your server certificate: [p. 81]. If you already have Certificate Manager installed in the MMC, it will point to the correct Local Computer certificate store. In this case, skip directly to the To back up your server certificate: [p. 81] To install Certificate Manager: 1. Open an MMC console and select Add/Remove Snap-in from the Console menu. 2. Click Add. 3. Select Certificate Manager. 4. Click Add. 5. Select the Computer account option. 6. Select the Local Computer option. 7. Click Finish. To back up your server certificate: 1. Locate the correct certificate store. This is typically the Local Computer store in Certificate Manager. 2. Select the certificate in the Personal store. 3. Open the Action menu, point to All tasks, and click Export. 4. In the Certificate Manager Export Wizard, select Yes, export the private key. 5. Accept the wizard default settings and enter a password for the certificate backup file when prompted. CAUTION Do not select Delete the private key if export is successful, because this will disable your current server certificate. Be sure that PKCS12 format is chosen. 6. Use the wizard to export a backup copy of your server certificate. Data Center Real User Monitoring SSL Monitoring Administration Guide 81 Appendix B ∙ Extracting Web Server Private SSL Keys Now you have one file that combines a server key file and a server certificate in PKCS12 format. Recoding and Decrypting the Key into PEM Format To recode the key to PEM format, use the following openssl command on the AMD: openssl pkcs12 -nocerts -in key.pfx -out key.pem -nodes You are prompted for a password. Provide the same password you used during key backup. Extracting Web Server Private RSA Keys for Netscape (Old Format) Netscape stores keys in a database of a proprietary format and does not provide tools for exporting keys to known formats. However, the Netscape database format can be understood by Netscape Navigator 3.x. You will then have to move the database to Netscape 4.x, because 3.x does not have the key export feature. You need: • Netscape Navigator 3.x, • Netscape Communicator 4.x, • OpenSSL, • Server certificate issued for the key we are extracting (it may be the original certificate from the server or a new one signed by OpenSSL). Applicability This procedure has been tested on: • Netscape Communicator 4.08 Eng • Netscape Communicator 4.79 Eng • Netscape Navigator 3.0 Eng • Netscape Proxy 3.0 for WinNT • OpenSSL-0.9.5a-14 for Red Hat 6.2 Recoding and Decrypting the Key into PEM Format The exported key is in PKCS12 format. To re-code it to PEM format use the following openssl command on the AMD: openssl pkcs12 -nocerts -in key.p12 -out key.pem -nodes You are prompted for a password and must provide the same password as during key export under Netscape Communicator. Extracting the key from server configuration 1. 82 If your key database files (from %netscape_home%/alias) are: name-cert5.db and name-key.db, you have an old database format - follow this procedure from step 2. Data Center Real User Monitoring SSL Monitoring Administration Guide Appendix B ∙ Extracting Web Server Private SSL Keys If your key database files (from %netscape_home%/alias) are: name-cert7.db and name-key3.db, you have a new database format. For more information, see Extracting Web Server Private RSA Keys for Netscape (New Format) [p. 84]. 2. Install Netscape Navigator 3.x and Netscape Communicator 4.x in different directories. 3. Delete the files: key.db and cert5.db from the 3.x directory. 4. Start and exit NN 3.x to create a default key and a certificate database. 5. Overwrite the file key.db with the server key database file, which can be found in %netscape_home%/alias. Preserve the name of the file, that is, key.db. 6. Start NN 3.x and set the password (Options ➤ Security Preferences ➤ Passwords ➤ Set Password). CAUTION The password must be the same as the password you used with the key database, on the server. If you make an error during this step, the database will not be usable, though this will not become apparent until later. 7. Do the same as in step 5 but change the password to something else. This way you will verify that the database is properly imported into NN and can be read by NN. If you get an error this might mean that you have mistyped the password in the previous step. Exit NN 3.x. 8. Delete the files cert7.db and key3.db from the NC 4.x user directory (typically %NC_home%/Users/ user_name). 9. Copy the files key.db and cert5.db from the NN 3.x directory into the NC4.x user directory. 10. Start NC 4.x and change the password: To access Security Preferences click the lock icon. Change it again to something else to confirm that it is working correctly. There should be no errors. Exit NC 4.x. Now you have a database imported into NC 4.x. 11. You now need to get a certificate corresponding to the private key. You may be able to use the original server certificate (get it from the server administrator) or create a dummy certificate with OpenSSL (command openssl ca -policy policy_anything -infiles request.csr) based on a certificate-signing request (request.csr) generated on the server for the private key you are exporting. You can also use the Thawte Web page to generate a test certificate. 12. You install the certificate by sending it to the browser as an MIME type application "application/x-x509-user-cert": In the file user_home_directory /.mime.types, under Unix, add the following lines: type=application/x-x509-user-cert \ desc="Cert inst" \ exts="pem" 13. Under Windows, you can add a new MIME type in NC (Edit ➤ Preferences ➤ Navigator ➤ Application) with an appropriate extension and just point the browser at the file. The information you supply is the same as specified above. Data Center Real User Monitoring SSL Monitoring Administration Guide 83 Appendix B ∙ Extracting Web Server Private SSL Keys 14. Save the certificate as file cert.pem and open it in NC 4.x. You should be prompted for the password you last entered to protect the key database. After this, you should see it under Security ➤ Yours. 15. In Security Preferences click export and export the certificate to a file (key.p12). Extracting Web Server Private RSA Keys for Netscape (New Format) Applicability This procedure has been tested on: • iPlanet FastTrack 4.0 for WinNT and 6.0 for Solaris • Netscape Enterprise 4.1 SP5 for Solaris • Netscape Communicator 4.79 Eng • openSSL-0.9.5a-14 for Red Hat Enterprise Linux 6.2 Extracting the Key from Server Configuration 1. Check the names of your key database files. • If your key database files (from %netscape_home%\alias) are name-cert7.db and name-key3.db, you have the new database format and you are reading the right procedure. Go to the next step. • If your key database files (from %netscape_home%\alias) are name-cert5.db and name-key.db, you have the old database format. In this case, do not continue with the procedure you are currently reading. You should instead use the procedure described in Extracting Web Server Private RSA Keys for Netscape (Old Format) [p. 82]. 2. Install Netscape Communicator 4.x; use the Profile Manager to create a user profile. 3. Start and exit Netscape Communicator 4.x to create a default key and certificate database. 4. Delete the file cert5.db from the Netscape Communicator 4.x user directory ( %nc_home%\Users\user_name) 5. Overwrite the file key3.db with the server key database file (it can be found in %netscape_home%\alias\name-key3.db). Retain key3.db as the file name. Overwrite the file cert7.db with the server cert database file (it can be found in %netscape_home%\alias\name-cert7.db). Retain cert7.db as the file name. 6. Under Security Preferences, click Export and export the certificate to a file (key.p12). For a password, provide the password you use to start the Web server from which the key comes. 7. 84 Enter and confirm the export password. Data Center Real User Monitoring SSL Monitoring Administration Guide Appendix B ∙ Extracting Web Server Private SSL Keys Recoding and Decrypting the Key into PEM Format The exported key is in PKCS12 format. To recode it to PEM format, use the following openssl command on the AMD: openssl pkcs12 -nocerts -in key.p12 -out key.pem -nodes You are prompted for a password. Provide the same password you used during key extraction above. Extracting Web Server Private RSA Keys for Zeus Applicability This procedure has been tested on Zeus Web Server v4.0. Extracting the Key from the Server Configuration Zeus already stores its server key in PEM-encoded format. The key is placed in the directory specified in the configuration file (typically %zeushome%/webadmin/conf/ssl_config) and is defined by the directive [instance_name]!private. The default location is %zeushome%/web/ssl/ Recoding the Key into PEM Format This is not required, because the key is already in the PEM format. Decrypting the Key's Password This is not required, because Zeus does not support key password encryption. Extracting SSL Private Keys from an iPlanet Web Server Use the following procedure to extract the Verisign SSL private keys from an iPlanet Web Server to pk12 format. 1. Set up the environment and the current working directory. a. Set the LD_LIBRARY_PATH environment variable to <server_root>/bin/https/lib, for example: export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/services/iplanet6sp5/bin/https/lib b. Add <server_root>/bin/https/admin/bin to the PATH environment variable, for example: export PATH=$PATH:/opt/services/iplanet6sp5/bin/https/admin/bin c. Locate the pk12util utility, for example: which pk12util /opt/services/iplanet6sp5/bin/https/admin/bin/pk12util Data Center Real User Monitoring SSL Monitoring Administration Guide 85 Appendix B ∙ Extracting Web Server Private SSL Keys d. Locate the certutil utility, for example: which certutil /opt/services/iplanet6sp5/bin/https/admin/bin/certutil e. Change the current working directory to the server root directory, for example: cd /opt/services/iplanet6sp5/ 2. Convert the .db files to PKCS12 format. a. Create a temporary directory, for example: mkdir /tmp/alias b. Change the current working directory to the <sever_root>/alias directory, for example: cd /opt/services/iplanet6sp5/alias c. Copy the .db files to the temporary directory, for example: cp https-pweb1.hap.org-pweb1-key3.db https-pweb1.hap.org-pweb1-cert7.db /tmp/alias d. Change the current working directory to the temporary directory, for example: cd /tmp/alias e. Create symbolic links of the files to be converted, for example: ln -s https-pweb1.hap.org-pweb1-key3.db key3.db ln -s https-pweb1.hap.org-pweb1-cert7.db cert7.db f. Run the certutil utility. The -K option lists the key ID of keys in the key database. A key ID is the modulus of the RSA key or the publicValue of the DSA key. IDs are displayed in hexadecimal (“0x” is not shown). The -d option specifies the database directory containing the certificate and key database files. This example uses the current directory “.” as the directory. certutil -K -d . Enter Password or Pin for "NSS Certificate DB": <0> Server-Cert The converted files reside in the current working directory, /tmp/alias, in this example. 3. Export the SSL certificate and key. Run the pk12util utility, supplying as arguments the directory containing the converted certificate .db file, the name of the export file to create and the certificate name, for example: pk12util -d /tmp/alias -o /tmp/pweb1_certpk12 -n Server-Cert Enter Password or Pin for 'NSS Certificate DB': Enter password for PKCS12 file: Re-enter password: pk12util: PKCS12 EXPORT SUCCESSFUL 86 Data Center Real User Monitoring SSL Monitoring Administration Guide APPENDIX C SSL Support The AMD can analyze traffic encrypted with SSL 3.0, TLS 1.0, TLS 1.1 and TLS 1.2. With the exception of compression, all other elements of the protocol are supported. Analysis can be performed using OpenSSL or any of a number of SSL accelerator cards. SSL Software Support Supported SSL Versions • SSL 3.0 • TLS 1.0 • TLS 1.1 • TLS 1.2 Unsupported Elements of the SSL Protocol • Compression Public Key Cryptography and Key Exchange Algorithm Support Supported: RSA Conditionally supported: RSA exported (depending on the key size. For more information, see Table 3. Cipher Suites Support on the AMD [p. 88].) Unsupported: DSA Diffie-Hellman Fortezza Data Center Real User Monitoring SSL Monitoring Administration Guide 87 Appendix C ∙ SSL Support Supported RSA Keys OpenSSL 1024, 2048, 4096, and 8192 bits in PEM format. nFast accelerator 1024, 2048, and 4096 bits in PEM format. nShield accelerator 1024, 2048, and 4096 bits embedded. NITROX XL FIPS Acceleration Board 1024 and 2048 bits embedded. Sun Crypto Accelerator 6000 1024 and 2048 bits embedded or in PEM format. FIPS 140-2 Level 3 Support FIPS 140-2 Level 3 is supported for the following cards: • NITROX XL FIPS Acceleration Board • nShield • Sun Crypto Accelerator 6000 Supported Symmetric Ciphers • RC2 (40, 56, 128) • RC4 (40, 56, 64, 128) • DES (40, 56) • 3DES (168) • AES (128, 256) Supported Hash Functions • MD5 • SHA1 Cipher Suites Support on the AMD Table 3. Cipher Suites Support on the AMD 88 OpenSSL Cipher Tag Key Exchange Symmetric Encryption Method Message AMD Support Authentication Code EXP-RC4-MD5 RSA_EXP(512) RC4 MD5 Yes* RC4-MD5 RSA RC4 MD5 Yes RC4-SHA RSA RC4 SHA Yes Data Center Real User Monitoring SSL Monitoring Administration Guide Appendix C ∙ SSL Support Table 3. Cipher Suites Support on the AMD (continued) OpenSSL Cipher Tag Key Exchange EXP-RC2-CBC-MD5 RSA_EXP(512) RC2 SHA No IDEA-CBC-SHA RSA SHA No EXP-DES-CBC-SHA RSA_EXP(512) DES SHA Yes* DES-CBC-SHA RSA DES SHA Yes DES-CBC3-SHA RSA DES3 SHA Yes EXP-DH-DSS-DES-CBC-SHA DH DES SHA No DH-DSS-DES-CBC-SHA DH DES SHA No DH-DSS-DES-CBC3-SHA DH DES3 SHA No EXP-DH-RSA-DES-CBC-SHA DH DES SHA No DH-RSA-DES-CBC-SHA DH DES SHA No DH-RSA-DES-CBC3-SHA DH DES3 SHA No EXP-EDH-DSS-DES-CBC-SHA DH DES SHA No EDH-DSS-DES-CBC-SHA DH DES SHA No EDH-DSS-DES-CBC3-SHA DH DES3 SHA No EXP-EDH-RSA-DES-CBC-SHA DH DES SHA No EDH-RSA-DES-CBC-SHA DH DES SHA No EDH-RSA-DES-CBC3-SHA DH DES3 SHA No EXP-ADH-RC4-MD5 DH RC4 MD5 No ADH-RC4-MD5 DH RC4 MD5 No EXP-ADH-DES-CBC-SHA DH DES MD5 No ADH-DES-CBC-SHA DH DES MD5 No ADH-DES-CBC3-SHA DH DES3 MD5 No EXP1024-RC4-MD5 RSA_EXP(1024) RC4 MD5 Yes* EXP1024-RC2-CBC-MD5 RSA_EXP(1024) RC2 MD5 No EXP1024-DES-CBC-SHA RSA_EXP(1024) DES SHA Yes* DES SHA No EXP1024-RC4-SHA RSA_EXP(1024) RC4 SHA Yes* EXP1024-DHE-DSS-RC4-SHA DH RC2 SHA No DHE-DSS-RC4-SHA DH RC4 SHA No EXP1024-DHE-DSS-DES-CBC-SHA DH Symmetric Encryption Method IDEA Message AMD Support Authentication Code Data Center Real User Monitoring SSL Monitoring Administration Guide 89 Appendix C ∙ SSL Support Table 3. Cipher Suites Support on the AMD (continued) OpenSSL Cipher Tag Key Exchange Symmetric Encryption Method AES128-SHA RSA AES-128-CBC SHA Yes AES128-SHA256 RSA AES-128-CBC SHA256 Yes DH-DSS-AES128-SHA DH AES-128-CBC MD5 No DH-RSA-AES128-SHA DH AES-128-CBC MD5 No DHE-DSS-AES128-SHA DH AES-128-CBC MD5 No DHE-RSA-AES128-SHA DH AES-128-CBC MD5 No ADH-AES128-SHA DH AES-128-CBC MD5 No AES256-SHA RSA AES-256-CBC SHA Yes AES256-SHA256 RSA AES-256-CBC SHA256 Yes DH-DSS-AES256-SHA DH AES-256-CBC MD5 No DH-RSA-AES256-SHA DH AES-256-CBC MD5 No DHE-DSS-AES256-SHA DH AES-256-CBC MD5 No DHE-RSA-AES256-SHA DH AES-256-CBC MD5 No ADH-AES256-SHA DH AES-256-CBC MD5 No CAMELLIA128-SHA RSA CAM128-CBC SHA Yes** CAMELLIA256-SHA RSA CAM256-CBC SHA Yes** SEED-SHA RSA SEED-CBC Yes** * Message AMD Support Authentication Code SHA Support for the key size within the imposed limit (see Key exchange column). ** Supported on both RHEL 5 and 6, but for RHEL 5 it depends on the OpenSSL version: Camellia requires ver. 0.9.8c, SEED requires ver. 0.9.8f. SSL Hardware Support The AMD supports a number of SSL accelerator cards. For the list of supported hardware accelerator cards see Tested Cards in the Data Center Real User Monitoring Hardware Recommendations. 90 Data Center Real User Monitoring SSL Monitoring Administration Guide Index Index A KPA accelerator cards 20, 36, 67 NITROX XL FIPS 20 Sun 36 troubleshooting 67 Apache 79 RSA key 79 M C commands 67 SHOW SSLDECR CERTS 67 SHOW SSLDECR CIPHERS 67 SHOW SSLDECR KEYS 67 SHOW SSLDECR SERVERS 67 SHOW SSLDECR STATUS 67 SSLDECR LOGLEVEL 67 contact information 6 Customer Support 6 D diagnostics 56 SSL 56 I initializing 21 NITROX XL FIPS accelerator 21 K Kerberos 45 45 daemon 45 kpadmin utility 45 Microsoft IIS 4.0 80 RSA key 80 Microsoft IIS 5.0 81 RSA key 81 migration 45 SSL analysis 45 monitoring diagnostics 55 N name setting 49 SSL errors 49 nCipher 26, 31, 36 security world 26, 31, 36 nCipher SSL Card 26, 31, 36 Netscape (new) 84 RSA key 84 Netscape (old) 82 RSA key 82 nFast SSL Card 26, 31, 36 NITROX XL FIPS 20–21, 24 configuration of accelerator card 20 initializing 21 logging in and out 24 managing 20 RSA key management 24 Data Center Real User Monitoring SSL Monitoring Administration Guide 91 Index NITROX XL FIPS (continued) security levels 20 nShield Connect 46–47 nShield SSL Card 26, 31, 36 O online support site 6 OpenSSL 11–12, 14, 45, 79 migrating from 45 RSA key 79 R RSA key 11–12, 14, 24, 79–82, 84–85 Apache 79 management on NITROX FIPS 24 Microsoft IIS 4.0 80 Microsoft IIS 5.0 81 Netscape (new) 84 Netscape (old) 82 OpenSSL 79 sample entries 11–12, 14 specifying on AMD 11–12, 14 Zeus 85 RSA keys 79 extracting 79 S security world 26, 31, 36 nCipher 26, 31, 36 SHOW SSLDECR CERTS 70 SHOW SSLDECR CIPHERS 71 SHOW SSLDECR HELP 72 SHOW SSLDECR KEYS 73 SHOW SSLDECR LOGLEVEL 74 SHOW SSLDECR NAMES 74 SHOW SSLDECR SERVERS 75 SHOW SSLDECR STATUS 76 SSL 11–12, 14, 18, 20, 36, 45, 49–50, 56–57, 67, 85, 87, 90 accelerator cards 18 alert codes 50 configuration 18 defining error labels 49 diagnostics 56 engine 18 errors 49 changing default names 49 92 SSL (continued) hardware 90 iPlanet Web Server 85 extracting private keys 85 NITROX XL FIPS 20 OpenSSL 45 RSA private keys 11–12, 14 sessions debug traces 67 software features 87 Sun Crypto accelerator card 36 supported features 87 troubleshooting 57, 67 decryption 67 SSL cards 26, 31, 36 nCipher 26, 31, 36 nFast 26, 31, 36 nShield 26, 31, 36 SSL keys 79 extracting 79 SSL monitoring 9, 11, 46, 49 alternatives 46 configuration on AMD 11 configuration on server side 49 decryption 46 process overview 9 SSLDECR CERTS 67 SSLDECR HELP 68 SSLDECR LOGLEVEL 69 SSLDECR NAMES 70 Sun Crypto Accelerator 36–37, 39, 42–43 additional configuration and administration 42 card management 39 configuration of accelerator card 36 initialization 37 key management 39 known issues 43 reference information 43 T traffic quality 55–56 troubleshooting 62, 67 SSL decryption 67 Z Zeus 85 RSA key 85 Data Center Real User Monitoring SSL Monitoring Administration Guide
Similar documents
Vantage Agentless Monitoring Device Installation Guide
.NET Monitoring, VantageView, Gomez, First Mile, and Gomez Private Network are trademarks or registered trademarks of Compuware Corporation. Cisco is a trademark or registered trademark of Cisco Sy...
More information