My client migrated from 6.2 -> 6.5, but the URL Monitors hitting "https" sites (VIPs) are no longer working. I have tried to turn on and off the "disable ssl cert validation" option, but this does not fix the problem. The sites use SHA-1 encryption which is getting phased out by Google and Microsoft next year.
Is there any way to force the collector to accept SHA-1 encrypted connections over https?
The error reads:
"Connection failed: DynaTraceHttpClientException: Exception was thrown while executing a HTTP request
Caused by: SSLException: Unsupported record version SSLv2Hello
SSL handshake failed, this may be caused by an incorrect certificate. Check 'Disable certificate validation' parameter to override this."
It seems to be similar to the reported case: SUPDT-20709, which describes how the 6.3 collector using the Java 8 JRE no longer supports older encryption algorithms. SHA-1 is getting phased out next year, and I think that this is the reason for which the 6.5 collectors (also using JRE 😎 are unable to hit the SSL sites.
Like the support team suggests, How would a proxy server be used as a workaround?
Any insight or workaround for this issue is welcomed, as it may prevent my client from migrating to 6.5 until they can upgrade all the SSL certs to SHA-2 encryption.
Solved! Go to Solution.
That is a great idea. I will try it out to make sure it works. Also, I am going to try importing their certificate into the collector keystore to see if that works too.
Executing the URL monitor with a 6.2 collector on a completely separate VM, which is connected to a 6.5 server, will not work. The URL monitor plugin execution fails. I believe it fails because it is trying to invoke the 6.5 version of the URL plugin, and causes a null pointer exception.
Is there a way to prevent the collector from installing the 6.5version of the URL plugin from the DT Server?
Ah, bummer. I assume you're using the URL Monitoring Plugin that comes with the product. Here's two ideas worth exploring:
1) Extract the URL Monitoring plugin from the 6.5 system, modify the name a bit so it's a new plugin, then import it back into 6.5. I'm not convinced this will work but it's worth a try.
2) Use the community version of the URL Monitor and using the same logic as above, have a different plugin just for the 6.2 Collector.
3) Following idea #1, edit the plugin and make necessary changes so it will accept the connection situation you're dealing with. This again would mean the plugin would have to be renamed so as not to collide with the out-of-the-box URL Monitoring plugin.
Let us know your progress.
Here is the solution that seems to work for Windows Collectors:
I will need to get feedback from my client about using the 6.2 version of the URL plugin for all monitors, but this workaround seems sufficient.