DCRUM – monitoring Weblogic – Peoplesoft
This article describes a little background of Weblogic/Peoplesoft, how to get the private key, and setting Weblogic to use SSL Ciphers supported by DCRUM.
For those who have not configured monitoring for Peoplesoft/Weblogic, understand that Peoplesoft rides on top of Weblogic. Weblogic will, in turn, use a java key store (jks) for managing the SSL Keys.
Weblogic can, and probably will, use ciphers not supported by DCRUM. This will be evidenced by running rcon from the AMD and entering “show ssldecr ciphers”. A list of supported, and unsupported ciphers will be listed. At the bottom of the list may be other ciphers that are not currently named in DCRUM, but a quick internet search will display what they are. (http://www.thesprawl.org/research/tls-and-ssl-cipher-suites/)
In my case we saw C013 (TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) and C014 (TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA) predominately used in our environment. Even after adding the private keys to the AMD the Weblogic traffic was not decrypted. The keys were loaded by the AMD (show ssldecr keys) but not used by the servers (show ssldecr servers).
Certain ciphers cannot be decrypted through network sniffing, or are not supported by DCRUM, as explained in the FAQ: https://community.dynatrace.com/community/display/PUBDCRUM/SSL+Decryption+FAQ
Getting the private Key from the JKS
To export the private key get a list of the keys/certs in the JKS. Use the command:
keytool -list -v -keystore keystore.jks
Change the keystore.jks to the name used by your weblogic server.
Look for a line that shows the private key. The other entries are the certificates. The private key needs to be exported. Next, export the private key to a new keystore in pkcs12 format.
keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -deststoretype PKCS12 -srcalias <jkskeyalias> -deststorepass <password> -destkeypass <password>
Change the parameters as necessary. For the jkskeyalias specify the private key from the keytool list. Otherwise the command will try to export all of the certificates as well.
Follow the DCRUM documentation to move the key to the AMD and convert it to a PEM formatted file.
openssl pkcs12 -in privatekey.p12 -nodes -nocerts -out key.pem
Add the key to the keylist and restart the RTM process. Verify the key was loaded by rtm (rcon: show ssldecr keys).
Setting the Cipher on Weblogic
By adding Weblogic startup parameters SSL details can be seen in the server log. Details such as supported cipher suites and ciphers used by connected clients. See this article for details:
To set the Weblogic Ciphers, determine what ciphers that Weblogic can use are supported by DCRUM. The oracle article above shows a list if Weblogic ciphers (in the supported ciphers section). From rcon, “show ssldecr ciphers” will show AMD supported ciphers. The whole list of supported cipher suites is available here:
In our case we chose 4:
Use multiple ciphers as the Weblogic server will negotiate which cipher to use base on the connecting client’s browser capabilities. If the client does not support one of the ciphers the client will not connect.
Next configure Weblogic to use those ciphers. Open the server’s config.xml and add lines for the ciphersuites:
<ciphersuite> TLS_RSA_WITH_AES_128_CBC_SHA256 </ciphersuite>
<ciphersuite> TLS_RSA_WITH_AES_128_CBC_SHA </ciphersuite>
Ensure the ciphersuite entries are immediately below the enabled section.
Restart the Weblogic server. Client connections will start using the ciphers listed and the AMD will be able to decrypt the traffic.