I am trying to understand how traffic encrypted with self-signed certificates (Sun/Oracle) is decrypted on the AMD? This traffic between our web and app servers.
Checking the documentation for the DCRUM 12.4 there is no information on self-signed certificates.
Thanks and God bless,
My understanding is that it would be treated the same as a standard certificate.
Here is the documentation on how to add private keys to the AMD to allow the traffic to be decrypted.
Hope that helps.
Your understanding is correct.
The only caveat I can add is that some systems do not provide any supported way to export the private key for an internally generated self signed certificate, and your only option there is to create your own certificate, either self signed or via a CA, and apply that to replace the internal one, giving you a certificate you control the private key of.
I followed the procedure at that link and it still fails. I followed the same procedure with our web servers, which are not self-signed, and they work.
Running this command for the web servers produces output. Running this command for the app servers (Glassfish self-signed certificates) does not.
rcmd show ssldecr status aaa.bbb.ccc.ddd
SSL Decryption statistics for server: aaa.bbb.ccc.ddd:443
Total number of sessions=2822 (inProgress=2 Finished=2820)
SSL protocol version breakdown per number of sessions:
supported versions: ssl3.0=0 tls1.0=2058 tls1.1=0 tls1.2=0
unsupported versions: ssl2.0=0 other versions=0 no version info=697
[root@amdprobe keys]# rcmd show ssldecr status ddd.ccc.bbb.aaa
Are we sure that self-signed are not handled differently?
Thanks and God bless,
I was about to ask if there is a difference between the SSL and the SSL Decrypted analyzers; figuring to change to other and test. I discovered in RUM Console that the software service was configured with HTTP as the analyzer. Now capturing the data I should.
Thank you for your help and God bless,
The "SSL" analyzer is for when you do not have the private key or do not have a choice in using unsupportable ciphers such as Diffie-Hellman key exchange ciphers; it will provide information about SSL activities that can still be seen in the clear, such as handshake failures, but makes no attempt to decrypt.