cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

This product reached the end of support date on March 31, 2021.

INSTALL SSL KEY .PEM DCRUM

roberto_ravo
Guide

I all, I've recieved a key with the format .pem and I want to install and configurate it on the AMD machine.
I read on the docs 'DCRUM 12.3' many instruction but i can't really understand how can I do it.
I add on the rtm.config this line: "server.key.dir=/usr/adlex/config/keys/"
After this, I don't know how I can go on..a little help please!
Thanks

Roberto

8 REPLIES 8

sandrine-extern
Advisor

Hi Roberto,

A *.PEM file is the certificat, not the key! You'll need the *.KEY file if you want to read the traffic.

Once you have the *.KEY file, add it to the /usr/adlex/config/keys/ folder, then create or edit the keylist file that must be located in /usr/adlex/config/keys/ as following:

file,nameofyourkey.key,comment (name of the application for instance)

Save the file and restart your AMD : ndstop && ndstart

You can then check the key using the following command:

rcmd 'show ssldecr keys'

It should say "MATCHED" on the key line

Example:

You can check if your traffic is read using this command :

rcmd 'show ssldecre status yourserverIP'

Here is an example:

Cheers,

Sandrine

Hi Sandrine,

Thank you for your answer!

Cheers,
Roberto

File extension does not matter, but the content.

Private key may have any extension (including PEM) - all we need to care about is if the content is in PEM format.

himanshumor
Inactive

Hello Sandrine,

What is the difference between "matched" & "read"

Regards

HImanshu Mor

"read" means the AMD was able to read in and load the key at startup, "matched" means the AMD has seen a certificate in the traffic that matches the key and is able to decrypt traffic using the matching certificate and supported ciphers.

-- Erik

himanshumor
Inactive

Hey Erik!

Thanks for your super fast response !

i have 167 keys all showing as read and zero matched

Keys total: 167, ok: 167, failed: 0, matched: 0

i hope reason for me seeing zero matched is probably i am not getting any required traffic.

Regards

HM

That's one possibility, but 167 keys with no matching traffic is quite a rare occurrence. Maybe you can pick a few server IPs and do a

rcmd show ssldecr status serverIP

The output will let us know if there is a problem with the decryption or if there were really no traffic...

himanshumor
Inactive

Thanks Christopher!