This section describes the management of secure socket layer (SSL) keys and the settings for decryption of HTTPS traffic by the Real User Cloud Probe. A web application uses encryption to protect sensitive data that travels between the client and the server. Without the proper deciphering mechanism, the system cannot decrypt the intercepted traffic. To process encrypted traffic, you must upload the appropriate cryptographic keys (SSL keys) to the Cloud Probe host system.
The Cloud Probe supports SSL keys with certificates that use the privacy-enhanced mail (PEM) format.
Note
Passphrase- and Password-protected private keys are not supported.
To configure SSL keys to decrypt Cloud Probe traffic
Navigate to the Cloud Probe configuration file.
Operating System | File location |
---|---|
Linux | <installDirectory>/cloudprobe/conf |
Windows |
|
pem__PEM
suffix:mv /<keyLocation>/<keyName>.pem /<keyDestination>/<keyName>.pem__PEM
<
keyname>.pem__PEM
.To manage SSL keys, insert the following code blocks to the epssl.cfg file as shown below or in the Example SSL keys.
keymaterial <privateKeyFilePath>/<keyName>.pem__PEM ON keyfor 0.0.0.0-255.255.0.0 443-443 1 <keyName>.pem
The first line specifies the location of the private key and uses the following syntax:
Keyword | Path to private key | State of key |
---|---|---|
|
|
|
<privateKeyFilePath>
is the path to the private key file.ON
.
The <privateKeyFilePath>
where you store the keys, should not contain spaces; otherwise, the command will return an error. The SSL key path name must use forward slashes (/), even when the Cloud Probe is on a Windows system.
The second line specifies the properties of the private key mentioned in the previous line, and uses the following syntax:
Keyword | IP address (range) | Port (range) | Host ID | Private key |
---|---|---|---|---|
keyfor | 0.0.0.0-255.255.0.0 | 443-443 | 1 |
|
The private key specified in the second line does not have pem__PEM
suffix.
Start the Cloud Probe service.
To verify an SSL key has been loaded properly by a Cloud Probe, the check for the following success message in the installationDirectory/cloudprobe\staging\var\log\epx\epx.log file.
<date and time stamp> info [CORE] INFO: SSL Keys and/or Hosts accept: GOOD
If you receive an error, see SSL CFG ERROR issued for incorrect Cloud Probe SSL key configuration. See also Troubleshooting traffic capture on a Cloud Probe.
7 Comments
Alexandre Boyer
Alexandre Boyer
Michael Taslitz
Harihara Subramanian
Mohamed Eraky
what is the meaning of HOST ID. and how can I get it. also, do we have a standard template or commands to Generate .PEM file. also if I have more than 3 servers use the same certificates why the certificate decrypt the first server but not the other?
Michael Taslitz
Hi,
Please open a support case with BMC Customer Support.
A support representative will be able to provide the additional information.
Best Regards,
Michael
Harihara Subramanian