IBM Performance Management

Monitoring HTTPS transactions

Response Time Monitoring monitors HTTP transactions by default. To monitor HTTPS transactions, Response Time Monitoring requires access to the SSL Certificates so that it can decrypt SSL traffic from your remote web servers.

Before you begin

Identify the HTTPS web servers that you want to monitor, including their IP addresses and configured ports. For example, 192.168.1.23, port 443. For each HTTPS web server, check that Response Time Monitoring can read its ciphers. Response Time Monitoring supports the ciphers supported by IBM Java, including the following ciphers.
  • RSA_WITH_RC4_40_MD5
  • RSA_WITH_RC4_128_MD5
  • RSA_WITH_RC4_128_SHA
  • RSA_WITH_RC4_40_SHA
  • RSA_WITH_DES40_CBC_SHA
  • RSA_WITH_DESC_CBC_SHA
  • RSA_WITH_3DES_EDE_CBC_SHA
  • RSA_WITH_AES_128_CBC_SHA
  • RSA_WITH_AES_256_CBC_SHA
  • RSA_EXPORT1024_WITH_RC4_56_MD5
  • RSA_EXPORT1024_WITH_RC2_CBC_56_MD5
  • RSA_EXPORT1024_WITH_DES_CBC_SHA
  • RSA_EXPORT1024_WITH_RC4_56_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256
Restriction: Response Time Monitoring cannot decrypt traffic that uses Diffie-Hellman key exchange.

Procedure

To enable HTTPS transaction monitoring, complete the following steps:

  1. Set up the keystore. For more information, see Setting up the keystore.
  2. Configure the Response Time Monitoring agent by running one of the following commands and providing values when prompted:
    • Linux install_dir/bin/rt-agent.sh config
    • Windows install_dir\BIN\rt-agent.bat config
    For example:
    Configuring Response Time Monitoring Agent  
Edit 'Response Time Monitoring Agent' settings? [1=Yes,2=No](default is: 1): 1

Basic Configuration :   Specify basic monitoring configuration. Note: HTTP is 
now configured centrally using the Response Time tab under Agent Configuration.  

Specifies if HTTPS transactions should be monitored  
Monitor HTTPS transactions [ 1=Yes, 2=No ] (default is:2): 1  

This keystore contains the certificates of the HTTPS websites being monitored  
HTTPS keystore (e.g. - /tmp/keys.kdb) (default is: ): /tmp/keys.kdb   

This table maps HTTPS servers to the appropriate certificates (e.g. cert1,
server ip,server port; cert2,server2 ip,server2 port);...  
HTTPS server certificate map (eg - certAlias,9.48.152.1,443;...)(default is: ):
 label1,10.0.0.1,9443;label1,9.185.150.71,443  

Advanced Configuration :  
Specify advanced monitoring configuration  

The NIC card which has the selected IP address will be monitored.  
IP address of the NIC to be monitored (default is: ): 10.0.0.1  

Data Collection and Analysis Configuration :  
Specify Configuration Information on how Data is Analyzed. 
 
Configuration completed successfully.  
Agent restart required to apply configuration changes.
    where:
    • HTTPS keystore is the keystore configured in step 1
    • HTTPS server certificate map, specify:
      • label 1 - the key label configured in step 1
      • server ip - the IP address of the server, which must match the Source/Destination attribute in the IPV4 header of the packets
      • server port - server port number, which must match the Source/Destination port attribute in the TCP header of the packets
      Add multiple entries for multiple possibilities of the server IP of the same key label.
    • IP address of the NIC to be monitored, the interface that can see the packets and is mapped to eth0, en0, and so on. The name does not need to match any attributes of IPV4 or the TCP headers of the packets. If 10.0.0.1 corresponds to eth0, use tcpdump -s0 -i eth0 ... to see all the packets that need to be analyzed by the Packet Analyzer
  3. Restart the Response Time Monitoring agent.