The information in this document is useful when you create HTTPs communication between a RUM Engine server and an APM/BSM server. Detailed steps for generating and exchanging certificates are described in the RUM Hardening Guide. This document showcases the use of an external tool, KeyStore Explorer, to add trusted self-signed certificates to the RUM Engine as well as APM Gateway servers. KeyStore Explorer is an open source GUI replacement for the Java command-line utilities keytool and jarsigner. KeyStore Explorer presents their functionality, and more, via an intuitive graphical user interface. This can be used freely under the terms of GNU General Public License version 3. Being a visual tool, KeyStore Explorer enables easy analysis and modifications of TrustStores, thereby simplifying the overall hardening process.
By default, the RUM Engine connects to the APM Gateway server using HTTP connections (and vice versa). This connection can be hardened to use HTTPS. Enabling HTTPS between any client and a server involves the following tasks:
- Getting the server to work with HTTPS connections and, in the process, serve up its public certificate
- Getting the client to trust the certificate served by the server
For the first task, refer to the Hardening Guides for APM and RUM:
- APM 9.31 Hardening Guide (Chapter 4)
- Real User Monitor 9.31 Hardening Guide (Chapter 7)
The steps listed below explain how the second task (Getting the client to trust the certificate served by the server) can be easily accomplished.
Exporting APM/BSM Certificate
Open the supported browser and browse to the server with HTTPS as shown in the examples below.
https://<hostname>:443/topaz/ (Replace <hostname> with your server name – BSM/APM Server name)
https://<hostname>:8443/rumwebconsole/ (Replace <hostname> with your server name – Data collectors like RUM)
a. Click the Certificate section as shown in the screenshot below. A Certificate window appears.
b. Click the Details tab.
c. Click Copy to File.
d. Click Next.
e. Select Base 64 encoded x.509 (.CER).
f. Click Next.
g. Click Browse and enter a meaningful name (e.g., APM_cert) to save the file locally.
h. Click Next.
i. Click Finish to save the file. The export was successful message appears.
Importing the APM/BSM Certificate into the RUM Engine
Copy the saved/downloaded certificate (e.g., APM_cert) to the RUM Engine server.
Download KeyStore Explorer from the internet. (The current version is 5.2.2) and install it on the RUM Engine server.
Open KeyStore Explorer which is installed in the RUM Engine server and click Open an existing KeyStore. If you are unable to open KeyStore Explorer by double-clicking, issue the following command in a command prompt under c:\Program Files (x86)\KeyStore Explorer 5.2.2:
java -jar kse.jar
When you click Open an existing KeyStore, you will be asked to browse to the location of the KeyStore. For RUM, it is in <RUM_HOME>\JRE\lib\security\cacerts.
Enter the KeyStore password. For the default KeyStore password, search the APM 9.31 Hardening Guide for the default value of “storepass”.
a. When the KeyStore for the cacerts opens, drag and drop the APM_cert to the KeyStore window and click Import.
b. Keep the Enter Alias field intact and click OK.
a. Click OK in the Import screen and make sure that the certificate is imported in the KeyStore.
b. Click Save.
Close the KeyStore Explorer window and restart the RUM Engine services.
a. In RUM, click Configuration > APM Configuration Settings. The Application Performance Management Connection Settings page appears.
b. Click Test RTSM password. A pop-up message appears that confirms a successful HTTPS connection between APM/BSM to RUM Engine.
Exporting the RUM Certificate
To complete the HTTPS settings, you need to export the certificate from the RUM Engine server and import it to APM/BSM server.
Download the RUM Engine certificate as described in Step 1 and Step 2. Browse to the RUM Engine server URL using HTTPS.
https://<hostname>:8443/rumwebconsole (Replace ‘hostname’ with RUM Engine Server name)
Importing the RUM Engine Certificate to APM/BSM:
Install KeyStore Explorer in the APM/BSM server. In the KeyStore Explorer, open cacerts which is located in the <APM HOME >/JRE/lib/security folder and drag and drop the RUM certificate as described in Step 8 and Step 9.
You also need to update the RUM certificate for cacerts which is located in the <APM HOME>/JRE64/lib/security folder. (cacerts file under both JRE and JRE64 should be updated with RUM certificate)
Restart the APM/BSM services in the Gateway server. The two way communication for the RUM Engine to APM/BSM is in place.
a. Step 11 validates a successful HTTPS connection from the RUM Engine to the BSM/APM server.
b. To validate the connection from BSM/APM to the RUM Engine, on BSM/APM, try to open the RUM Session Analyzer report which is located under Applications > End User Management. The report is displayed if you have populated data. Otherwise you will see a No data message. Either of these outputs indicate that there is successful HTTPS communication between the servers.
c. If there are problems with the connection, you will see an error as shown below.
d. You can refer to the ‘config.manager’ log file under C:\HPRUM\log for RUM and the 'gdeGatewayClient' log file under C:\HPBSM\log for BSM/APM to validate that both servers work seamlessly over HTTPS.
If you have internal restrictions around installing KeyStore Explorer on the RUM Engine or APM/BSM servers, you can install it on any other server. In that case, you need to download the cacerts file from the RUM and BSM/APM servers, import the relevant certificates, and replace the updated cacerts file in the corresponding file location on each server.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.