cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

This product reached the end of support date on March 31, 2021.

Self-Signed Cerfitcates

genesius_jarom1
Organizer

Hello,

I am trying to understand how traffic encrypted with self-signed certificates (Sun/Oracle) is decrypted on the AMD? This traffic between our web and app servers.

Checking the documentation for the DCRUM 12.4 there is no information on self-signed certificates.

Thanks and God bless,

Genesius

7 REPLIES 7

dean_camenzuli
Dynatrace Participant
Dynatrace Participant

Hi Genesius,

My understanding is that it would be treated the same as a standard certificate.
Here is the documentation on how to add private keys to the AMD to allow the traffic to be decrypted.
https://community.dynatrace.com/community/display/...

Hope that helps.

Your understanding is correct.

The only caveat I can add is that some systems do not provide any supported way to export the private key for an internally generated self signed certificate, and your only option there is to create your own certificate, either self signed or via a CA, and apply that to replace the internal one, giving you a certificate you control the private key of.

-- Erik

genesius_jarom1
Organizer

@Dean C.

I followed the procedure at that link and it still fails. I followed the same procedure with our web servers, which are not self-signed, and they work.

Running this command for the web servers produces output. Running this command for the app servers (Glassfish self-signed certificates) does not.

Web server

rcmd show ssldecr status aaa.bbb.ccc.ddd
SSL Decryption statistics for server: aaa.bbb.ccc.ddd:443
SESSIONS:
Total number of sessions=2822 (inProgress=2 Finished=2820)
SSL protocol version breakdown per number of sessions:
supported versions: ssl3.0=0 tls1.0=2058 tls1.1=0 tls1.2=0
unsupported versions: ssl2.0=0 other versions=0 no version info=697
:
:

[root@amdprobe keys]#

App server

[root@amdprobe keys]# rcmd show ssldecr status ddd.ccc.bbb.aaa
[root@amdprobe keys]#

Are we sure that self-signed are not handled differently?

Thanks and God bless,

Genesius

Actually, that says it is not seeing anything it thinks it is supposed to try to decrypt...

I suggest opening a Support ticket to look deeper at this.

-- Erik

@Erik S. and @Dean C.

I was about to ask if there is a difference between the SSL and the SSL Decrypted analyzers; figuring to change to other and test. I discovered in RUM Console that the software service was configured with HTTP as the analyzer. Now capturing the data I should.

My apologies.

Thank you for your help and God bless,

Genesius

🙂

The "SSL" analyzer is for when you do not have the private key or do not have a choice in using unsupportable ciphers such as Diffie-Hellman key exchange ciphers; it will provide information about SSL activities that can still be seen in the clear, such as handshake failures, but makes no attempt to decrypt.

-- Erik

genesius_jarom1
Organizer
@Erik S.

I did not know that about SSL analyzer and DH. Good to know.

Thanks and God bless,

Genesius