Configuring Cloud Probe SSL keys and settings for traffic decryption

This section describes the management of secure socket layer (SSL) keys and the settings for decryption of HTTPS traffic by the Real User Cloud Probe. A web application uses encryption to protect sensitive data that travels between the client and the server. Without the proper deciphering mechanism, the system cannot decrypt the intercepted traffic. To process encrypted traffic, you must upload the appropriate cryptographic keys (SSL keys) to the Cloud Probe host system.

The Cloud Probe supports SSL keys with certificates that use the privacy-enhanced mail (PEM) format. Passphrase- and Password-protected private keys are not supported.

To configure SSL keys to decrypt Cloud Probe traffic

  1. Log in to the system where you installed the Cloud Probe with an Administrator account.
  2. Stop the Cloud Probe service.

  3. Navigate to the Cloud Probe configuration file.

     

    Operating System

    File location

    Linux

    <installDirectory>/cloudprobe/conf

    Windows

    {{code language="none"}}
    <installDirectory>\cloudprobe/conf
    {{/code}}
  4. Copy your private PEM key to the Cloud Probe host system.
  5. Create a private key with pem__PEM suffix:
    • On Linux, run the following command:
      mv /<keyLocation>/<keyName>.pem /<keyDestination>/<keyName>.pem__PEM
    • On Windows, rename the file by changing its suffix to <keyname>.pem__PEM.

  6. To manage SSL keys, insert the following code blocks to the epssl.cfg file as shown below or in the Example SSL keys.

    keymaterial <privateKeyFilePath>/<keyName>.pem__PEM ON
    keyfor 0.0.0.0-255.255.0.0 443-443 1 <keyName>.pem

     

    The first line specifies the location of the private key and uses the following syntax:

    Keyword

    Path to private key

    State of key

    keymaterial
    <privateKeyFilePath>/<keyName>.pem__PEM

    ON

    • <privateKeyFilePath> is the path to the private key file.
    • State of the key must be set to ON.

     

    The <privateKeyFilePath> where you store the keys, should not contain spaces; otherwise, the command will return an error. The SSL key path name must use forward slashes (/), even when the Cloud Probe is on a Windows system.

    The second line specifies the properties of the private key mentioned in the previous line, and uses the following syntax:

    Keyword

    IP address (range)

    Port (range)

    Host ID

    Private key

    keyfor

    0.0.0.0-255.255.0.0

    443-443

    1

    <keyName>.pem

    The private key specified in the second line does not have pem__PEM suffix.

  7. Start the Cloud Probe service.

  8. To verify an SSL key has been loaded properly by a Cloud Probe, the check for the following success message in the installationDirectory/cloudprobe\staging\var\log\epx\epx.log file.

    <date and time stamp> info  [CORE] INFO: SSL Keys and/or Hosts accept: GOOD

    If you receive an error, see SSL-CFG-ERROR-issued-for-incorrect-Cloud-Probe-SSL-key-configuration. See also Troubleshooting-traffic-capture-on-a-Cloud-Probe.

Example SSL keys

Example of binding multiple IP addresses to the same key
keymaterial /opt/bmc/CloudProbe/cloudproeb/conf/key.pem__PEM ON
keyfor 10.230.128.55-10.230.128.55 443-443 1 key.pem
keyfor 10.160.160.6-10.160.160.6 443-443 1 key.pem
Example of binding multiple keys to multiple ports of the same address
keymaterial C:/CP/cloudprobe/conf/09_pem_des_nopas.pem__PEM ON
keymaterial C:/CP/cloudprobe/conf/12_pem_plain_nopas.pem__PEM ON
keyfor 172.21.243.168-172.21.243.176 0-65535 1 09_pem_des_nopas.pem,12_pem_plain_nopas.pem
Example of binding multiple keys to multiple IP addresses and multiple ports
keymaterial /opt/bmc/CloudProbe/cloudprobe/conf/key.pem__PEM ON
keymaterial /opt/bmc/CloudProbe/cloudprobe/conf/key1.pem__PEM ON
keymaterial /opt/bmc/CloudProbe/cloudprobe/conf/key2.pem__PEM ON
keymaterial /opt/bmc/CloudProbe/cloudprobe/conf/key3.pem__PEM ON
keyfor 172.21.243.217-172.21.243.220 1-65535 1 key.pem,key1.pem
keyfor 172.21.243.168-172.21.243.176 1-65535 2 key3.pem,key4.pem

Related topics

Installing-the-Cloud-Probe

 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*