How APM CE (CEM) SSL private keys are protected on the TIM and TIM Collector

Document ID : KB000019330
Last Modified Date : 14/02/2018
Show Technical Document Details

The following process is used to implement private keys:

  1. The SSL private keys are uploaded to the TIM Collector using an HTTP/HTTPS connection to the administrative APM CE UI.
  2. The TIM Collector forwards these immediately without storing them to each enabled TIM.
  3. The TIM Collector encrypts the keys using 128-bit Advanced Encryption Standard (AES) and sends them over an HTTP(S) connection, encrypting the key again for the SSL connection if configured.
  4. The AES encryption key is not stored as a data file. It is hard-coded into the TIM and TIM Collector.
  5. Each TIM encrypts the key again using 256-bit AES, with a different key that is hard-coded into the TIM. The encrypted result is stored in the directory /etc/wily/cem/tim/config/webservers with a filename of the form 10.10.10.10-10.10.10.10~80.xml-enc.