APPLICATION NOT REPORTED BY WRT AGENT
Q1) ITCAM for Transactions Web Response Time (WRT/T5) agent in TEP views, under "Web Response Time", does not report an expected application that is served by a https server
How to investigate further this kind of issue?
A1) Enable the following extra tracing on WRT agent system, in kfcmenv file:
KFC_DEBUG_SSL=Y; export KFC_DEBUG_SSL
restart the WRT agent
make sure some traffic is generated against the "missing" https application
then review latest updated WRT analyzer log file :
and search in it for error messages : error / unsupported / abort / exception / insufficient / unable / fail / .... like :
- Unsupported cipher suite XXX. Aborting session
- "KFCK_ProcessClientHelloV2") Insufficient Data. Expect length YYY but have ZZZ
For example, if you are getting these kind of error messages:
"KFCK_ProcessServerHello") Unsupported cipher suite C014. Aborting session
"KFCK_ProcessServerHello") Unsupported cipher suite C028. Aborting session
"KFCK_ProcessServerHello") Unsupported cipher suite C030. Aborting session
Cipher suite C014 is TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, which is a 'Diffie-Hellman' cipher.
cipher suite C028 = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
cipher suite C030 = TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
This means your secured web server is using a Diffie-Hellman key exchange, and this is not supported by WRT, as documented here :
A different cipher is required on your secured web server, if possible, so that WRT can decrypt its traffic.
The cipher Diffie-Hellman key exchange is designed to make such decryption not possible, as each endpoint in the connection maintains a private secret that WRT can not access.
Unfortunately for WRT, the Diffie Hellman algorithm is designed to be secured against eavesdropping, even when the listener have the decryption key.
Another possible solution is to consider using a more recent monitoring product like IBM Cloud Application Performance Management V8.1:
IBM's recommendation for advanced ciphers is to use the Response Time plugin module into the HTTP Server. This is supported in APM V8.1 for Apache, IHS, and .NET web servers, and that strategy will be taken forward into ICAM product (IBM Cloud App Management)
For reference, Cipher suite definitions can be found here:
Subscribe and follow us for all the latest information directly on your social feeds: