cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Alert on outdated certificates for which we miss decrypted traffic

dennis_mispelba
Inactive

Hi,

currently at customer we are always facing the issue that certificates are expired and we cannot decrypt that traffic therefore anymore in DCRUM, leading to missing applications/operations which are actually configured. So besites the fact that change management anyway should tell us when they are renewing certificates, I was thinking for a wourkaround until they do, as a quick win. So I was wondering if I could setup an alert on SSL errors, e.g. when they are rising for a software service, I know that traffic is not decrypted anymore. But I think SSL errors is not the correct metric in this case. Do you have any other (better) idea how I could automatically alert from CAS in order to identify that certain traffic is not decrypted anymore? 

Best regards,
Dennis 

8 REPLIES 8

ulf_thorn222
Inactive

Well you have the "decryption_failed" = error code 21 as well as "certificate_expired" = error code 45, any of those 2 should tell you when things start to go bad.

Hi Ulf,

this sounds great, but where do I find these metrics? At least in the alert section I don't. I am talking about 12.2. here, however we will update to 12.3 soon.

Best regards,
Dennis

ulf_thorn222
Inactive

Hi

Sorry for being a bit late in replying.

Managing SSL Alert Codes and perhaps also Defining SSL Error Names even though that might be a bit drastic.

Perhaps the easiets way is to use what's there already - I was trying to post a picture here but.... If you go into RUM Console and then go "Alerts" - "Predefined" and check the "Show Disabled" and then filter on SSL, the last one should be "SSL sessions not decrypted". However, I think this might pull an alert for anything SSL that you not have a key for, which might be classified as "False Positive" depending on your environment.

Thanks Ulf, I will have a look into your links and the other approach. You are right, I would think SSL sessions not decrypted might give a lot of false positives in case not all SSL traffic which is seen, is also decrypted. Let's see. Thanks!

I went through your links and the list provided in Managing SSL Alert Codes is really great. Going through the documentation, I could not see however, of how to access a single measure for an error like "decrypt_error" or "certificate_expired", so I think I will go ahead and alert on the specific error group they are allocated to (e.g. group SSL Error 2)

As for now - that might be the most feasible way (at least the quickest).

But I think there is an improvement around the corner sebastian.kruk@dynatrace.com ?

How about an alert when the number of operations is zero?

Depends how busy your service is of course, as you may have quiet periods which you may wish to ignore.

Or an alert that compares number of operations with network traffic for the service - again, if there is network traffic but there are no operations, this suggests you aren't decrypting.

Thank you, I will think about it.