To monitor HTTPS transactions, import keys into the KT5Keystore for all web servers that
you want to monitor.
About this task
You can either export the SSL certificates from the web servers that you are monitoring and
import them into the HTTPS Keystore by using IBM Key Management (iKeyman), or specify the web
server's keystore stash file (.kdb) in the HTTPS Keystore. When you install or
configure Response Time Monitoring, you are prompted for the location of
the keys.kdb file.
If you do not have keystore stash files (
.kdb and
.sth), check that the CMS Provider is enabled in your Java version so that you
can use iKeyman to set up the key database:
- Go to the install_dir/ibm-jre/jre/lib/security
directory. For example:
-
/opt/ibm/apm/agent/JRE/lx8266/lib/security
-
C:\Program Files\IBM\APM\ibm-jre\jre\lib\security
- In the java.security file, add the following statement to the list of
security providers as shown, where number is the last sequence number in the
list.
security.provider.number=com.ibm.security.cmskeystore.CMSProvider
The
list of providers looks like the following
example:## List of providers and their preference orders #
security.provider.1=com.ibm.jsse.IBMJSSEProvider
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.security.cmskeystore.CMSProvider
...
#
- Save and close the file.
Restriction: Response Time Monitoring cannot decrypt traffic
by using Diffie-Hellman key exchange.
Procedure
To enable HTTPS transaction monitoring, collect the SSL certificates from the web
servers that you want to monitor and import the certificates and keystore stash files into the HTTPS
Keystore by using iKeyman. The following example uses iKeyman to export the certificates from an IBM
HTTP Server, and import them to HTTPS Keystore:
- Install a Response Time Monitoring agent on each HTTPS web server that
you want to monitor.
- Run IBM Key Management (iKeyman) from within the IBM Java
bin directory by running one of the following commands, depending on your
operating system.
- Create a new Keystore database. In the New dialog box, complete the
following steps:
- From the Key database type list, select
CMS. If CMS is not available in the list, the CMS Provider might not be enabled. Enable the CMS
Provider in the Java security file.
- In the File Name field, enter the name of the HTTPS Keystore file and
click OK. For example, keys.kdb.
- In the Password Prompt dialog box, complete the following steps:
- In the Password and Confirm Password fields,
enter and confirm the password to access keys.kdb. Do not set an expiration time unless you want to re-create the keystore database and restart
the Response Time Monitoring agent periodically.
- Select Stash the password to a file? to store the password for
keys.kdb in an encrypted form in a stash file,
keys.sth.
- In the Key database content section of the iKeyman window, complete the
following steps:
- Select Personal Certificates.
- Click Import.
- In the Import Key dialog box, from the Keyfile
type list, select CMS.
- Browse to the keystore file and click Open, and then click
OK.
- In the Password Prompt dialog box, enter the keystore password.
- Select the key from the list and click OK.
- In the Change Labels dialog box, select the key label name. In the
Enter a new label field, specify the host name of the server and click
Apply.
Note: You need this value when you configure Response Time Monitoring, so
make a note of it.
- Click OK.
- Save the HTTPS Keystore.