Setting up the ITCAM for Transactions Web
Response Time Agent to monitor HTTPS
Transactions
Objectives When you complete this module, you should be able to perform these tasks:
• Create a keystore for use by the WRT agent
• Import a certificate into the keystore
• Configure the WRT agent to monitor HTTPS transactions
Export the Certificate from the Web Server
Steps to export the Certificate
•
•
Start the ikeyman utility and choose the correct certificate
Export the certificate to a .p12 file
NOTE: The certificate may already be available from the certificate authority, in
which case skip this section on exporting the certificate.
Start ikeyman and choose the certificate
In this example, the web server is on 'iago.tivlab.austin.ibm.com'.
Start the 'ikeyman' utility and open the keystore used by the web server.
In this example, the IBM HTTP Server is configured to use the keystore
'/usr/IBMHttpServer1/keytab/serverkey.kdb'.
Select the 'Personal Certificate' view and highlight the certificate used by server
to authenticate the application that we are interested in monitoring.
Highlight the certificate then click 'Export/Import':
Export the certificate
Set the 'Key file type' to 'PKCS12', give the certificate a name, then click 'OK':
Give the certificate a password, then click 'OK':
Create a keystore for the WRT agent to use
Steps to create the WRT keystore
• Copy the certificate file to the WRT system
• Create a new keystore
• Import the certificate into the keystore
• Save the keystore
Copy the certificate Copy the .p12 file to the system where the WRT agent is installed.
For this example, the certificate is copied to:
/opt/IBM/ITM/keyfiles/IHSServerCert.p12
Create the new keystore
On the WRT system, create a keystore that will be used by the WRT agent to
decrypt SSL packets sent to/from the server 'iago.tivlab.austin.ibm.com', ip
address 9.48.205.152.
Find the program 'gsk7ikm' that is distributed with the WRT agent:
-->cd /opt/IBM/ITM/
iago@/opt/IBM/ITM
-->find . -name gsk7ikm
./aix523/gs/bin/gsk7ikm
-->cd aix523/gs/bin
iago@/opt/IBM/ITM/aix523/gs/bin
Now start 'gsk7ikm', and click the 'Create a new key database file' icon:
Set the 'Key database type' to 'CMS', and give the keystore a name and location.
In this case the keystore will be named 'wrtkeys.kdb'.
Click 'OK':
Give the keystore a password, and select the 'Stash the password to a file'
check box. Then click 'OK':
Import the certificate
Import the .p12 web server certificate into the keystore
Pick 'Personal Certificates' from the drop down menu, then select 'Import':
Enter the name and location of the .p12 certificate file, and click 'OK':
Enter the password used to protect the certificate, then click 'OK':
Specify a different label for the certificate if desired, then click 'OK':
Click the 'Save' icon.
The certificate is now saved in the keystore and can be examined. Select
'View/Edit...', and the values in the certificate are shown:
Configure WRT to use the new key database
Steps
• Configure the T5 agent
• Select the 'Monitor HTTPS' option
• Add 'Certificate to Server' mapping
• Restart the T5 agent
Configure the T5 agent
The keystore has been saved in the ITM directory <ITM_HOME>/keyfiles on the
WRT agent system, so it is ready for use.
Start the MTEMS, highlight the T5 agent, right-click and select 'Configure'.
Configure the agent to monitor HTTPS
Navigate to the 'HTTPS Monitoring' dialog, check 'Monitor HTTPS on a remote
HTTP server'. Enter the path to the keystore:
Configure Certificate to Server mapping
Add the certificate to server mapping by clicking the 'Add' button.
Enter the label name in the 'Certificate Name' field.
In the Server IP Address' field, enter the address of the web server where the
certificate was extracted. This is destination ip address in the request to the web
server.
Enter the port number that the web server listens on for HTTPS traffic.
This is the destination port in the request to the web server.
Then click 'Add':
The WRT agent will now use the certificate labeled 'ihsservercert' in the SSL
handshake for any HTTPS requests bound for '9.48.205.152:1443'.
Click 'OK'.
If the web server listens on more than one port, add a certificate mapping for
each port.
Restart the T5 agent
Restart the T5 agent to read the configuration changes.
> /opt/IBM/ITM/bin/itmcmd agent stop t5
> /opt/IBM/ITM/bin/itmcmd agent start t5
NOTE: The Certificate to Server mapping is stored in
<ITM_HOME>/tmaitm6/wrm/keystore/servermap.csv
-->cat /opt/IBM/ITM/tmaitm6/wrm/keystore/servermap.csv
9.48.205.152, 1443, ihsservercert
Make sure an appropriate profile is distributed to the T5 agent.
Generate some traffic on the web server being monitored by the T5 agent.
In this case, access the URL
'https://iago.tivlab.austin.ibm.com:1443/readme.html'
The TEP should now show the application: