IBM Performance Management

Setting up the keystore

To monitor HTTPS transactions, import keys into the KT5Keystore for all web servers that you want to monitor.

About this task

You can either export the SSL certificates from the web servers that you are monitoring and import them into the HTTPS Keystore by using IBM Key Management (iKeyman), or specify the web server's keystore stash file (.kdb) in the HTTPS Keystore. When you install or configure Response Time Monitoring, you are prompted for the location of the keys.kdb file.

If you do not have keystore stash files (.kdb and .sth), check that the CMS Provider is enabled in your Java version so that you can use iKeyman to set up the key database:
  1. Go to the install_dir/ibm-jre/jre/lib/security directory. For example:
    • Linux /opt/ibm/apm/agent/JRE/lx8266/lib/security
    • Windows C:\Program Files\IBM\APM\ibm-jre\jre\lib\security
  2. In the java.security file, add the following statement to the list of security providers as shown, where number is the last sequence number in the list.
    security.provider.number=com.ibm.security.cmskeystore.CMSProvider
    The list of providers looks like the following example:
    ## List of providers and their preference orders #
security.provider.1=com.ibm.jsse.IBMJSSEProvider
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.security.cmskeystore.CMSProvider
...
#
  3. Save and close the file.
Restriction: Response Time Monitoring cannot decrypt traffic by using Diffie-Hellman key exchange.

Procedure

To enable HTTPS transaction monitoring, collect the SSL certificates from the web servers that you want to monitor and import the certificates and keystore stash files into the HTTPS Keystore by using iKeyman. The following example uses iKeyman to export the certificates from an IBM HTTP Server, and import them to HTTPS Keystore:

  1. Install a Response Time Monitoring agent on each HTTPS web server that you want to monitor.
  2. Run IBM Key Management (iKeyman) from within the IBM Java bin directory by running one of the following commands, depending on your operating system.
    • AIXLinux /opt/ibm/apm/agent/JRE/lx8266/bin/ikeyman
      Note: You must have X-Window on the environment for iKeyman to work properly.
    • Windows c:\IBM\APM\java\java80_x64\jre\bin\ikeyman
  3. Create a new Keystore database. In the New dialog box, complete the following steps:
    1. From the Key database type list, select CMS. If CMS is not available in the list, the CMS Provider might not be enabled. Enable the CMS Provider in the Java security file.
    2. In the File Name field, enter the name of the HTTPS Keystore file and click OK. For example, keys.kdb.
  4. In the Password Prompt dialog box, complete the following steps:
    1. In the Password and Confirm Password fields, enter and confirm the password to access keys.kdb. Do not set an expiration time unless you want to re-create the keystore database and restart the Response Time Monitoring agent periodically.
    2. Select Stash the password to a file? to store the password for keys.kdb in an encrypted form in a stash file, keys.sth.
  5. In the Key database content section of the iKeyman window, complete the following steps:
    1. Select Personal Certificates.
    2. Click Import.
    3. In the Import Key dialog box, from the Keyfile type list, select CMS.
    4. Browse to the keystore file and click Open, and then click OK.
    5. In the Password Prompt dialog box, enter the keystore password.
    6. Select the key from the list and click OK.
    7. In the Change Labels dialog box, select the key label name. In the Enter a new label field, specify the host name of the server and click Apply.
      Note: You need this value when you configure Response Time Monitoring, so make a note of it.
    8. Click OK.
  6. Save the HTTPS Keystore.