Tech Tip #67 Four Questions to Ask Before Opening an APM CEM TIM SSL Case

Blog Post created by Hallett_German Employee on Jan 17, 2018


This for the first time in one place, captures the important areas to investigate before opening an APM TIM SSL case.


I've visited some of these ideas in:
https://communities.ca.com/community/ca-apm/blog/2017/12/01/tech-tip-66-drat-why-cant-i-record-in-apm-ce-cem -- Why can't I record?

https://communities.ca.com/message/99822745#99822745 -- Private keys


Question #1: Are there issues with my network setup?
Very often, network and SSL issues are interrelated. If the network traffic is one-way, filtered out, empty or small packets, having dropped and out of order packets, then SSL traffic may not appear correctly or at all.


See the above links for possible next steps as well as https://support.ca.com/us/knowledge-base-articles.tec1122441.html SSL Decode failures.


Question #2 Are my private key and passphrase in order?
Often, APM admins are given private keys from their web server, firewall, and load balancer admins.However, they must trust that they received the right key in the correct format with the correct passphrase (including if in upper, lower, or mixed case). This may not be the case. To verify, compare the modulus of the certificate from the server with the private key that you were given. See How do I verify that a private key matches a certificate? (OpenSSL) .


Question #3 Am I using a supported TLS ciphersuite or TLS extension/feature?
If you get an unsupported cipher suite message in the TIM log, compare the ciphersuite number against a list such as https://www.thesprawl.org/research/tls-and-ssl-cipher-suites/ to learn more about the specific ciphersuite. 


Also see for further details
https://support.ca.com/us/knowledge-base-articles.tec1667615.html -- Supported TLS cipher suites
https://support.ca.com/us/knowledge-base-articles.TEC1926892.html -- Master secret
https://support.ca.com/us/knowledge-base-articles.TEC610516.html -- SSL session ticket


Question #4: Am I using TLS 1.1/1.2?
Your application may use TLS 1.1/1.2. APM TIM supports this feature with all current releases. But sometimes people forget to set explicitly DisableTLS11And12RecordsProcessing to 0 (Enable). Note by default this is implicitly set to 1 (Disable).


Next steps

By having gone through these four questions, you know that you are not having common networking and SSL issues. At this point, it is time to open a case providing such items as a HTTP/HTTPS trace (pcap, Fiddler trace, or equivalent), a TIM log with SSL. HTTP Components/Parameters, and networking addresses trace settings enabled. Ideally these should be both at the same time to perform event correlation.


Please let me know some other common questions that you ask and future CEM topics that you want to see.