Four things to investigate before opening an APM TIM SSL/TLS Case.

Document ID : KB000010872
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:
Environment:
All supported APM CEM TIM releases
Instructions:

Here are four questions to help you eliminate common network and TIM issues associated with SSL/TLS:

 

Question #1: Are there issues with my network setup?
Very often, network and SSL issues are interrelated. If the network traffic is one-way, filtered out, empty or small packets, having dropped and out of order packets, then SSL traffic may not appear correctly or at all.

 

See below for possible next steps:    

    https://support.ca.com/us/knowledge-base-articles.tec1122441.htm-- SSL Decode failures

https://communities.ca.com/community/ca-apm/blog/2017/12/01/tech-tip-66-drat-why-cant-i-record-in-apm-ce-cem -- Why can't I record?

https://communities.ca.com/message/99822745#99822745 -- Private keys

 

 

Question #2 Are my private key and passphrase in order?
Often, APM admins are given private keys from their web server, firewall, and load balancer admins. However, they must trust that they received the right key in the correct format with the correct passphrase (including if in upper, lower, or mixed case). This may not be the case. To verify, compare the modulus of the certificate from the server with the private key that you were given. See How do I verify that a private key matches a certificate? (OpenSSL) .

 

Question #3 Am I using a supported TLS ciphersuite or TLS extension/feature?
If you get an unsupported cipher suite message in the TIM log, compare the ciphersuite number against a list such as https://www.thesprawl.org/research/tls-and-ssl-cipher-suites/to learn more about the specific ciphersuite. 

 

Also see for further details
https://support.ca.com/us/knowledge-base-articles.tec1667615.html   -- Supported TLS cipher suites
https://support.ca.com/us/knowledge-base-articles.TEC1926892.html -- Master secret 
https://support.ca.com/us/knowledge-base-articles.TEC610516.html   -- SSL session ticket

 

Question #4: Am I using TLS 1.1/1.2? 
Your application may use TLS 1.1/1.2. APM TIM supports this feature with all current releases. But sometimes people forget to set explicitly DisableTLS11And12RecordsProcessing to 0 (Enable). Note by default this is implicitly set to 1 (Disable).

 

Next steps

By having gone through these four questions, you know that you are not having common networking and SSL issues. At this point, it is likely time to open a case providing such items as a HTTP/HTTPS trace (pcap, Fiddler trace, or equivalent), a TIM log with SSL. HTTP Components/Parameters, and networking addresses trace settings enabled. Ideally these should be both at the same time to perform event correlation.