currently at customer we are always facing the issue that certificates are expired and we cannot decrypt that traffic therefore anymore in DCRUM, leading to missing applications/operations which are actually configured. So besites the fact that change management anyway should tell us when they are renewing certificates, I was thinking for a wourkaround until they do, as a quick win. So I was wondering if I could setup an alert on SSL errors, e.g. when they are rising for a software service, I know that traffic is not decrypted anymore. But I think SSL errors is not the correct metric in this case. Do you have any other (better) idea how I could automatically alert from CAS in order to identify that certain traffic is not decrypted anymore?
Sorry for being a bit late in replying.
Perhaps the easiets way is to use what's there already - I was trying to post a picture here but.... If you go into RUM Console and then go "Alerts" - "Predefined" and check the "Show Disabled" and then filter on SSL, the last one should be "SSL sessions not decrypted". However, I think this might pull an alert for anything SSL that you not have a key for, which might be classified as "False Positive" depending on your environment.
Thanks Ulf, I will have a look into your links and the other approach. You are right, I would think SSL sessions not decrypted might give a lot of false positives in case not all SSL traffic which is seen, is also decrypted. Let's see. Thanks!
I went through your links and the list provided in Managing SSL Alert Codes is really great. Going through the documentation, I could not see however, of how to access a single measure for an error like "decrypt_error" or "certificate_expired", so I think I will go ahead and alert on the specific error group they are allocated to (e.g. group SSL Error 2)
How about an alert when the number of operations is zero?
Depends how busy your service is of course, as you may have quiet periods which you may wish to ignore.
Or an alert that compares number of operations with network traffic for the service - again, if there is network traffic but there are no operations, this suggests you aren't decrypting.