Wireshark (formerly called Ethereal) is a great, free, open source tool to analyze network packet captures. To gather packet captures on various operating systems, see http://www-01.ibm.com/support/docview.wss?uid=swg21175744. Wireshark supports decrypting some types of SSL traffic: http://wiki.wireshark.org/SSL. The following developerWorks article covers the basics of using this feature: http://www.ibm.com/developerworks/web/tutorials/wa-tomcat/section4.html. In this post, I'll cover some WAS specific tips.
By default, WAS uses PKCS#12 or p12 files for the SSL key stores with the password of WebAS. In this example, I'll be looking at an SSL login of the deployment manager, so I've copied off the $WAS/profiles/$DMGR/etc/key.p12 file. If you are a customer providing a p12 file to IBM (or anyone, really), check with your security team on rules and procedures. There are also ways to export just the RSA private key part out of the p12 file without a password.
First, gather the packet trace either on the client or on the server. Here I'm on Linux gathering everything on port 9094 (the SSL port of the deployment manager):
$ sudo tcpdump -i any port 9094 -w dmgr.pcap
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
91 packets captured
182 packets received by filter
0 packets dropped by kernel
Start Wireshark and go to Edit > Preferences > Protocols > SSL. Enter:
RSA keys list: CLIENT_IP,SERVER_SSL_PORT,http,PATH_TO_P12_FILE,P12_PASSWORD
SSL debug file: PATH_TO_DEBUG_FILE
In my case:
RSA keys list: 127.0.0.1,9094,http,/tmp/wire/key.p12,WebAS
SSL debug file: /tmp/wire/wireshark.out
Load the capture file in Wireshark. You may see something like the following:
Frames 1 through 9 are the TCP and SSL handshakes. If the next frame on this stream says "Encrypted Handshake Message," then something went wrong. Looking at the SSL debug file, search for CIPHER:
$ grep CIPHER wireshark.out
dissect_ssl3_hnd_srv_hello found CIPHER 0x0033 -> state 0x17
Looking at the IANA.org list, we can see that this cipher is TLS_DHE_RSA_WITH_AES_128_CBC_SHA.
Unfortunately, Wireshark does not currently support DHE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3977. There are two solutions to this: 1) change the browser(s) not to use DHE ciphers, or 2) change WAS not to use DHE ciphers. Check with your security team before making these types of changes.
To remove DHE from available ciphers in WAS, go to SSL certificate and key management > SSL configurations > $SSL_SETTINGS > Quality of protection (QoP) settings. Under Cipher suite settings, select any ciphers in the Selected ciphers listbox that have DHE in them, and click << Remove. Click OK, save, and synchronize. You will have to gather a new packet capture after this is done.
Once you've got a packet capture with a cipher that Wireshark understands, when you load the capture, you should immediately see the "normal" Wireshark view, with HTTP traffic. In this case, frame 10 shows "Finished" instead of what we saw before:
In the bottom view, a new tab called Decrypted SSL data now shows up! In this case, we can see my user name and password being submitted on the POST to the DMGR admin console login page.
It's important to note that the SSL handshake must be captured for this to work, so if the packet captures starts and the user's browser re-uses a previous connection, the user will need to restart their browser or wait for that connection to naturally time out.