• Spaces
  • Collections
  • Help
    • ×
     
     
    •  
    BMC Real End User Experience Monitoring 2.5

    Page tree

    This section describes the management of secure socket layer (SSL) keys and the settings for traffic decryption of the BMC Real User Cloud Probe.

    A web application uses encryption to protect sensitive data that travels between the client and the server. Without the proper deciphering mechanism, the system cannot decrypt the intercepted traffic. To process encrypted traffic, you must upload the appropriate cryptographic keys (so-called SSL keys) to the host with the Cloud Probe.

    The Cloud Probe supports SSL keys with certificates that use the privacy-enhanced mail (PEM) format. Passphrase- and Password-protected private keys are not supported. For a list of supported cipher suites, see Key management views.

    To configure SSL keys to decrypt Cloud Probe traffic

    1. Log in to the system where you installed the Cloud Probe with an Administrator account.
    2. Stop the Cloud Probe service.

    3. Navigate to the Cloud Probe configuration file.

       

      Operating SystemFile location
      Linux<installDirectory>/conf
      Windows<installDirectory>\conf
    4. Copy your private PEM key to the Cloud Probe host system.
    5. Create a private key with pem__PEM suffix:
      • On Linux, run the following command:
        mv /<keyLocation>/<keyName>.pem /<keyDestination>/<keyName>.pem__PEM
      • On Windows, rename the file by changing its suffix to <keyname>.pem__PEM.

    6. To manage SSL keys, insert the following code blocks to the epssl.cfg file as shown below or in the Example SSL keys.

      keymaterial <privateKeyFilePath>/<keyName>.pem__PEM ON
keyfor 0.0.0.0-255.255.0.0 443-443 1 <keyName>.pem

       

      The first line specifies the location of the private key and uses the following syntax:

      Keyword

      Path to private key

      State of key

      keymaterial

      <privateKeyFilePath>/<keyName>.pem__PEM

      ON

      • <privateKeyFilePath> is the path to the private key file.
      • State of the key must be set to ON.

       

      The <privateKeyFilePath> where you store the keys, should not contain spaces; otherwise, the command will return an error. The SSL key path name must use forward slashes (/), even when the Cloud Probe is on a Windows system.


      The second line specifies the properties of the private key mentioned in the previous line, and uses the following syntax:

      Keyword

      IP address (range)

      Port (range)

      Host ID

      Private key

      keyfor

      0.0.0.0-255.255.0.0

      443-443

      1

      <keyName>.pem


      The private key specified in the second line does not have pem__PEM suffix.

    7. Start the Cloud Probe service.

    8. To verify an SSL key has been loaded properly by a Cloud Probe, the check for the following success message in the installationDirectory/cloudprobe\staging\var\log\epx\probe.log_ file. 

      <date and time stamp> info  [CORE] INFO: SSL Keys and/or Hosts accept: GOOD

    Example SSL keys

    Example of binding multiple IP addresses to the same key

    keymaterial /opt/bmc/CloudProbe/cloudproeb/conf/key.pem__PEM ON
keyfor 10.230.128.55-10.230.128.55 443-443 1 key.pem
keyfor 10.160.160.6-10.160.160.6 443-443 1 key.pem

    Example of binding multiple keys to multiple ports of the same address

    keymaterial C:/CP/cloudprobe/conf/09_pem_des_nopas.pem__PEM ON 
keymaterial C:/CP/cloudprobe/conf/12_pem_plain_nopas.pem__PEM ON
keyfor 172.21.243.168-172.21.243.176 0-65535 1 09_pem_des_nopas.pem,12_pem_plain_nopas.pem

    Example of binding multiple keys to multiple IP addresses and multiple ports

    keymaterial /opt/bmc/CloudProbe/cloudprobe/conf/key.pem__PEM ON
keymaterial /opt/bmc/CloudProbe/cloudprobe/conf/key1.pem__PEM ON
keymaterial /opt/bmc/CloudProbe/cloudprobe/conf/key2.pem__PEM ON
keymaterial /opt/bmc/CloudProbe/cloudprobe/conf/key3.pem__PEM ON
keyfor 172.21.243.217-172.21.243.220 1-65535 1 key.pem,key1.pem
keyfor 172.21.243.168-172.21.243.176 1-65535 2 key3.pem,key4.pem

    Troubleshooting errors with Cloud Probe SSL keys

    Issue: After the Cloud probe service starts, the SSL CFG ERROR error in the cloud-probe service log indicates a problem with epssl.cfg file.

    Resolution: Check the definition of the key file in the epssl.cfg file for the following:

    • Check for the presence of illegal characters.
    • Make sure the SSL key path name contains forward slashes (/), even when the Cloud Probe is installed on a Windows system; otherwise, the Cloud Probe will not be loaded correctly by the system.
    • Make sure the key file is in PEM (PKCS#12) format. If a you use a key file in another format, first use an SSL tool to convert it to the PEM format.
     

    Related topic

    Installing the Real User Cloud Probe

     

    3 Comments

    1. Nataliia Lytvynenko

       

    2. Ranganath Samudrala

      Please add a comment related to the Cipher Suite supported by the Cloub Probe as well. Oh - I see that here: https://docs.bmc.com/docs/display/public/euem25/Key+management+views

      1. Sandy Reid

         
    © Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.