Various TLS EM and Agent Questions

Document ID : KB000095432
Last Modified Date : 30/05/2018
Show Technical Document Details
Question:
 Q1. What ports should I use for Java and .Net agents. ?
 Q2. Why does .Net agent use only HTTPS (HTTP over SSL) instead of SSL for agent-EM communications
 Q3. Do I need to set up an SSL channel in the EM properties file for a .Net agent
 Q4. Does APM 10.5/10.7 support SHA2?
 
Environment:
APM 10.5 and 10.7. 
Answer:

A1. SSL/TLS/HTTPS Ports are described https://comm.support.ca.com/kb/setting-up-ssl-communications-for-an-apm-cluster-and-components/kb000010477
   For .Net agents on MOM/Collector 8444 – HTTP Communication for APM UI (HTTPS) - via em-jetty-config.xml
    For Java Agents on MOM/Collector 5443 – Communication with Workstation/Webstart (SSL) and Agents (SSL)

A2. HTTPS is only supported SSL option for .Net agents. Java agents have more SSL communications mechanisms.
 

A3. SSL Channels in the EM properties file needs to be only to set up for the Java not .Net agents

A4.  On the EM, APM support SHA2. SHA2 (or SHA-2) is just a name for several hashing algorithms which include SHA-224, SHA-256, SHA-384, SHA-512 and few more. With default JRE policy, only SHA-256 is supported. After installation of unlimited JCE (Java Cryptography Encryption) policy,, SHA-384 is then included and supported.  APM 10.5 may have slight differences.
 
APM supports TLS from 1.0 through to 1.2 at least with APM 10.7. 
 
Note: Rather than reviewing ciphersuites, it would be better to review the JRE version the server runs on.
This will cover what cipher suites are available at all.  Then take a look at em\jre\lib\security\java.security file to document disabled weak algorithms.
 
APM ships with RSA certificate and keys so all the ciphers are RSA-based by default.