DCRUM – monitoring Weblogic – Peoplesoft
This article describes a little background of
Weblogic/Peoplesoft, how to get the private key, and setting Weblogic to use
SSL Ciphers supported by DCRUM.
For those who have not configured monitoring for
Peoplesoft/Weblogic, understand that Peoplesoft rides on top of Weblogic.
Weblogic will, in turn, use a java key store (jks) for managing the SSL Keys.
Weblogic can, and probably will, use ciphers not supported
by DCRUM. This will be evidenced by running rcon from the AMD and entering
“show ssldecr ciphers”. A list of supported, and unsupported ciphers will be
listed. At the bottom of the list may be other ciphers that are not currently
named in DCRUM, but a quick internet search will display what they are. (http://www.thesprawl.org/research/tls-and-ssl-cipher-suites/)
In my case we saw C013 (TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)
and C014 (TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA) predominately used in our
environment. Even after adding the private keys to the AMD the Weblogic traffic
was not decrypted. The keys were loaded by the AMD (show ssldecr keys) but not
used by the servers (show ssldecr servers).
Certain ciphers cannot be decrypted through network
sniffing, or are not supported by DCRUM, as explained in the FAQ: https://community.dynatrace.com/community/display/PUBDCRUM/SSL+Decryption+FAQ
private Key from the JKS
To export the private key get a list of the keys/certs in
the JKS. Use the command:
keytool -list -v -keystore keystore.jks
Change the keystore.jks to the name used by your weblogic
Look for a line that shows the private key. The other
entries are the certificates. The private key needs to be exported. Next,
export the private key to a new keystore in pkcs12 format.
keytool -importkeystore -srckeystore keystore.jks
-destkeystore keystore.p12 -deststoretype PKCS12 -srcalias <jkskeyalias>
-deststorepass <password> -destkeypass <password>
Change the parameters as necessary. For the jkskeyalias
specify the private key from the keytool list. Otherwise the command will try
to export all of the certificates as well.
Follow the DCRUM documentation to move the key to the AMD
and convert it to a PEM formatted file.
openssl pkcs12 -in privatekey.p12 -nodes -nocerts -out
Add the key to the keylist and restart the RTM process.
Verify the key was loaded by rtm (rcon: show ssldecr keys).
Setting the Cipher
By adding Weblogic startup parameters SSL details can be
seen in the server log. Details such as supported cipher suites and ciphers
used by connected clients. See this article for details:
To set the Weblogic Ciphers, determine what ciphers that
Weblogic can use are supported by DCRUM. The oracle article above shows a list
if Weblogic ciphers (in the supported ciphers section). From rcon, “show
ssldecr ciphers” will show AMD supported ciphers. The whole list of supported
cipher suites is available here:
In our case we chose 4:
Use multiple ciphers as the Weblogic server will negotiate which
cipher to use base on the connecting client’s browser capabilities. If the
client does not support one of the ciphers the client will not connect.
Next configure Weblogic to use those ciphers. Open the
server’s config.xml and add lines for the ciphersuites:
<ciphersuite> TLS_RSA_WITH_AES_128_CBC_SHA256 </ciphersuite>
<ciphersuite> TLS_RSA_WITH_AES_128_CBC_SHA </ciphersuite>
Ensure the ciphersuite entries are immediately below the
Restart the Weblogic server. Client connections will start
using the ciphers listed and the AMD will be able to decrypt the traffic.