Managing SSL keys and settings for Cloud Probe traffic decryption

This section describes the management of secure socket layer (SSL) keys and the settings for traffic decryption of the Real User Cloud Probe.

A web application uses encryption to protect sensitive data that travels between the client and the server. Without the proper deciphering mechanism, the system cannot decrypt the intercepted traffic. To process encrypted traffic, you must upload the appropriate cryptographic keys (so-called SSL keys) to the host with the Cloud Probe.

The Cloud Probe supports SSL keys with certificates that use the privacy-enhanced mail (PEM) format. Passphrase- and Password-protected private keys are not supported.

Configuring SSL keys

  1. Log in to the virtual machine with the Cloud Probe installation as root.
  2. Stop the Cloud Probe service by running the following command:
    $ service cloud-probe stop
  3. Copy your private PEM key to the host with Cloud Probe.
  4. To create a private key with pem__PEM suffix, run the following command:
    cp /<keyLocation>/<keyName>.pem /<keyDestination>/<keyName>.pem__PEM

  5. To manage SSL keys, add the following settings to the epssl.cfg file, located on the Cloud Probe host in the <installationDirectory>/conf directory:

    keymaterial <privateKeyFilePath>/<keyName>.pem__PEM ON
    keyfor 0.0.0.0-255.255.0.0 443-443 1 <keyName>.pem

    • The first line specifies the location of the private key and uses the following syntax:

      Key word

      Path to private key

      State of key

      keymaterial
      <privateKeyFilePath>/<keyName>.pem__PEM
      ON
      • <privateKeyFilePath> is the path to the private key file.
      • State of the key must be set to ON.

    • The second line specifies the properties of the private key mentioned in the previous line, and uses the following syntax:

      Key word

      IP address (range)

      Port (range)

      Host ID

      Private key

      keyfor

      0.0.0.0-255.255.0.0

      443-443

      1

      <keyName>.pem

      The private key specified in the second line does not have pem__PEM suffix.

  6. Start the Cloud Probe service by running the following command:
    $ service cloud-probe start
Example of binding multiple IP addresses to the same key
keymaterial /opt/bmc/CloudProbe/cloudproeb/conf/key.pem__PEM ON
keyfor 10.230.128.55-10.230.128.55 443-443 1 key.pem
keyfor 10.160.160.6-10.160.160.6 443-443 1 key.pem
Example of binding multiple keys to multiple ports of the same address
keymaterial opt/bmc/CloudProbe/cloudproeb/conf/key.pem__PEM ON
keymaterial opt/bmc/CloudProbe/cloudproeb/conf/key1.pem__PEM ON
keyfor 10.160.160.6-10.160.160.6 0-65535 1 key.pem,key1.pem
Example of binding multiple keys to multiple IP addresses and multiple ports
keymaterial opt/bmc/CloudProbe/cloudproeb/conf/key.pem__PEM ON
keymaterial opt/bmc/CloudProbe/cloudproeb/conf/key1.pem__PEM ON
keymaterial opt/bmc/CloudProbe/cloudproeb/conf/key2.pem__PEM ON
keymaterial opt/bmc/CloudProbe/cloudproeb/conf/key3.pem__PEM ON
keyfor 172.21.243.217-172.21.243.220 1-65535 1 key.pem,key1.pem
keyfor 172.21.243.168-172.21.243.176 1-65535 2 key3.pem,key4.pem

Handling errors with Cloud Probe SSL keys

After the Cloud probe service starts, the SSL CFG ERROR error in the cloud-probe service logs, indicates a problem with epssl.cfg file.

For additional SSL issues, look in the following files:

  • /opt/bmc/CloudProbe/cloudprobe/staging/tmp/epx_ssl_hosts_stats — Contains all SSL hosts seen over the last 24 hours
  • /opt/bmc/CloudProbe/cloudprobe/staging/tmp/epx_ssl_global_stats — Contains SSL global statistics collected over the last 24 hours

Unsupported parameter for macro: icon, language, title Due of this, the macro might have some unexpected results.

Related topic

Installing-the-Real-User-Cloud-Probe

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*