Maintenance is complete- We've moved from the saas.hpe.com domain to softwaregrp.com click to read more
As part of our journey to complete our separation work and our future integration with Micro Focus, we've now updated our domain for the community. This is an interim step, which will be followed by a series of future update / improvements: - Piloting Idea boards - Refreshing the entire UI. (more to come later) - and more
Application Perf Mgmt (BAC / BSM) Practitioners Forum
cancel

RUM 9.25 no longer decrypting SSL traffic

ca27506
Frequent Contributor.

RUM 9.25 no longer decrypting SSL traffic

We had a fully functional RUM system monitoring SSL traffic without incident until recently it stopped decrypting SSL. I verified the Probe is capturing required traffic but when I apply the SSL cert nothing happens. In the SSL Keystore Management page it shows no decryption statistics (successful or failed...nothing). It looks like the SSL key is not getting imported to the probe. Please advise ......thank you Griff
7 REPLIES
Rufeng Xu-Fried
Super Contributor.

Re: RUM 9.25 no longer decrypting SSL traffic

Hi, we no longer have RUM, but we used to have it.  I have seen situations like this.  The common cause is that the cert on the app side is renewed.  In this case, you wll need to import new PEM files in the RUM engine console. Just a thought. Thanks!

Rufeng
ca27506
Frequent Contributor.

Re: RUM 9.25 no longer decrypting SSL traffic

I have applied the newest SSL cert from the admin of the VIP where the apps are hosted....and it does not decrypt. Again it looks like the key is not taking even though on the probe it updates the files in hprumprobe\etc\rume_probe\keystore.
AlexPereverzev
Micro Focus Expert

Re: RUM 9.25 no longer decrypting SSL traffic

Hi Guys,

Not a certs, but private Server Keys are uploaded to Probe.

Please, try to troubleshoot this way: record some traffic with Probe and then apply a key you have in Wireshark.

Best, Alexey

Tim Slatter
Outstanding Contributor.

Re: RUM 9.25 no longer decrypting SSL traffic

Hi,

It's also worth checking to see if they have changed the allowed cipher suites, and Diffie-Hellman (DHE) or ECDHE ciphers are being used.

Here are a couple of ways you may be able to check:

1)  Connect to the monitored app/website via a browser and check the SSL/TLS connection info.  This will show you the cipher that your browser and the site chose to use, so not a definitive list of supported ciphers

2) Run openssl (usually on Linux by default, but not on Windows, although it can often be found within other programs in Windows, such as APM/BSM, BPM or VM Ware tools paths) and specify certain ciphers:

   openssl s_client -connect <address>:<port> -cipher <cipher>

   Where <address> is the name or IP address of the app/site, <port> is the listening port, and <cipher> is the short name of a cipher you want to test - you'll have to try a few, and here's a good list of cipher names - use the name on the right:

   https://wiki.openssl.org/index.php/Manual:Ciphers(1)

3) Use nmap to list all the supported ciphers.  This is the easiest option, if nmap is available, but it isn't usually by default (this info was valid for nmap 7.12):

   nmap --script ssl-cert,ssl-enum-ciphers <address> -p <port>

If you do find DHE or ECDHE ciphers in use, you'll need to ask the app team if they can disable them.

Regards,

Tim

ca27506
Frequent Contributor.

Re: RUM 9.25 no longer decrypting SSL traffic

The issue is due to a new VIP that was put in place that is using ECDHE which apparently RUM probes of all versions cannot decrypt.   Hoping Micro Focus comes up with a version that can otherwise the product is EOL for us.

Tim Slatter
Outstanding Contributor.

Re: RUM 9.25 no longer decrypting SSL traffic

Hi,

RUM requires the Private Key to decrypt, and the key changes with Diffie-Hellman, so that's why it's not supported (this is the same with other similar products, I believe).  However, it's probably worth raising an Enancement Request.  The following options may help:

 - Get the team supporting the VIP to disable Diffie-Hellman base ciphers

 - Monitor the network traffic between the VIP and web servers.  However, this will only work if Diffie-Hellman is not used between the VIP and web servers.  Also, there could be some loss of granular client information availble to RUM

 - Use a hardware TLS/SSL decryptor (e.g. https://www.symantec.com/products/ssl-visibility-appliance - here's one example that says it supports Diffie-Hellman, but there may be others).  These are sometimes used by people Network Intrusion Prevention Systems because malware and malicious code can use SSL/TLS too

The hardware decryptors are probably expensive, but can benefit Security deptartments too, and it would give you more RUM Probe processing capacity.

Regards,

Tim

ca27506
Frequent Contributor.

Re: RUM 9.25 no longer decrypting SSL traffic

Thanks Tim, I will investigate the options you have suggestion.  As far as disabling Hellman I don't think I will get too far with getting security and network teams to buy off on that.  From the research I have done Hellman is now the newest industry favorite so either Micro Focus comes up with an enhancement or it will sadly be end of life.  Very unfortunate because I got a lot of good use from BAC RUM.