article

John L. avatar image
John L. Posted ·

Monitoring Peoplesoft on Weblogic with DCRUM

DCRUM – monitoring Weblogic – Peoplesoft

This article describes a little background of Weblogic/Peoplesoft, how to get the private key, and setting Weblogic to use SSL Ciphers supported by DCRUM.

Background

For those who have not configured monitoring for Peoplesoft/Weblogic, understand that Peoplesoft rides on top of Weblogic. Weblogic will, in turn, use a java key store (jks) for managing the SSL Keys.

Weblogic can, and probably will, use ciphers not supported by DCRUM. This will be evidenced by running rcon from the AMD and entering “show ssldecr ciphers”. A list of supported, and unsupported ciphers will be listed. At the bottom of the list may be other ciphers that are not currently named in DCRUM, but a quick internet search will display what they are. (http://www.thesprawl.org/research/tls-and-ssl-cipher-suites/)

In my case we saw C013 (TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) and C014 (TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA) predominately used in our environment. Even after adding the private keys to the AMD the Weblogic traffic was not decrypted. The keys were loaded by the AMD (show ssldecr keys) but not used by the servers (show ssldecr servers).

Certain ciphers cannot be decrypted through network sniffing, or are not supported by DCRUM, as explained in the FAQ: https://community.dynatrace.com/community/display/PUBDCRUM/SSL+Decryption+FAQ

Getting the private Key from the JKS

To export the private key get a list of the keys/certs in the JKS. Use the command:

keytool -list -v -keystore keystore.jks

Change the keystore.jks to the name used by your weblogic server.

Look for a line that shows the private key. The other entries are the certificates. The private key needs to be exported. Next, export the private key to a new keystore in pkcs12 format.

keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -deststoretype PKCS12 -srcalias <jkskeyalias> -deststorepass <password> -destkeypass <password>

Change the parameters as necessary. For the jkskeyalias specify the private key from the keytool list. Otherwise the command will try to export all of the certificates as well.

Follow the DCRUM documentation to move the key to the AMD and convert it to a PEM formatted file.

openssl pkcs12 -in privatekey.p12 -nodes -nocerts -out key.pem

Add the key to the keylist and restart the RTM process. Verify the key was loaded by rtm (rcon: show ssldecr keys).

Setting the Cipher on Weblogic

By adding Weblogic startup parameters SSL details can be seen in the server log. Details such as supported cipher suites and ciphers used by connected clients. See this article for details:

http://docs.oracle.com/cd/E21764_01/web.1111/e13707/ssl.htm#SECMG503

To set the Weblogic Ciphers, determine what ciphers that Weblogic can use are supported by DCRUM. The oracle article above shows a list if Weblogic ciphers (in the supported ciphers section). From rcon, “show ssldecr ciphers” will show AMD supported ciphers. The whole list of supported cipher suites is available here:

http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider

In our case we chose 4:

TLS_RSA_WITH_AES_256_CBC_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_AES_128_CBC_SHA

Use multiple ciphers as the Weblogic server will negotiate which cipher to use base on the connecting client’s browser capabilities. If the client does not support one of the ciphers the client will not connect.

Next configure Weblogic to use those ciphers. Open the server’s config.xml and add lines for the ciphersuites:

<ssl>

<name>examplesServer</name>

<enabled>true</enabled>

<ciphersuite> TLS_RSA_WITH_AES_256_CBC_SHA256</ciphersuite>

<ciphersuite> TLS_RSA_WITH_AES_256_CBC_SHA</ciphersuite>

<ciphersuite> TLS_RSA_WITH_AES_128_CBC_SHA256 </ciphersuite>

<ciphersuite> TLS_RSA_WITH_AES_128_CBC_SHA </ciphersuite>

<listen-port>7002</listen-port>

...

Ensure the ciphersuite entries are immediately below the enabled section.

Restart the Weblogic server. Client connections will start using the ciphers listed and the AMD will be able to decrypt the traffic.

10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Article

Contributors

john.leight@dynatrace.com contributed to this article

Related Articles