Data Center Real User Monitoring

Data Center Real User Monitoring Migration from CryptoSwift Migration Guide Release 12.0.2

Please direct questions about Data Center Real User Monitoring or comments on this document to: APM Customer Support FrontLine Support Login Page: http://go.compuware.com Copyright 2012 Compuware Corporation. All rights reserved. Unpublished rights reserved under the Copyright Laws of the United States. U.S. GOVERNMENT RIGHTS-Use, duplication, or disclosure by the U.S. Government is subject to restrictions as set forth in Compuware Corporation license agreement and as provided in DFARS 227.7202-1(a) and 227.7202-3(a) (1995), DFARS 252.227-7013(c)(1)(ii) (OCT 1988), FAR 12.212(a) (1995), FAR 52.227-19, or FAR 52.227-14 (ALT III), as applicable. Compuware Corporation. This product contains confidential information and trade secrets of Compuware Corporation. Disclosure is prohibited without the prior express written permission of Compuware Corporation. Use of this product is subject to the terms and conditions of the user's License Agreement with Compuware Corporation. Documentation may only be reproduced by Licensee for internal use. The content of this document may not be altered, modified or changed without the express written consent of Compuware Corporation. Compuware Corporation may change the content specified herein at any time, with or without notice. All current Compuware Corporation product documentation can be found at http://go.compuware.com. Compuware, FrontLine, Network Monitoring, Private Enterprise, Server Monitoring, Transaction Trace Analysis, Compuware APM, Vantage for Java and.net Monitoring, VantageView, Compuware APM, Real-User Monitoring First Mile, Gomez Performance Network, Data Center Real User Monitoring, dynatrace, and PurePath are trademarks or registered trademarks of Compuware Corporation. Cisco is a trademark or registered trademark of Cisco Systems, Inc. Adobe Reader is a registered trademark of Adobe Systems Incorporated in the United States and/or other countries. All other company and product names are trademarks or registered trademarks of their respective owners. Build: January 3, 2013, 23:52

Contents Contents Introduction...................................................... Who Should Read This Guide.......................................... Related Publications................................................. Organization of This Guide............................................ Accessing Customer Support.......................................... Reporting a Problem................................................. Documentation Conventions........................................... Chapter 1 Migration Overview....................................... Chapter 2 Migration from Cryptoswift................................ Migration from Cryptoswift to Cavium NITROX XL FIPS (RoHS)............... Migration from Cryptoswift to ncipher nfast or nshield (RoHS)................ Migration from Cryptoswift to Sun Crypto Accelerator 6000 Board (RoHS)........ Migration from Cryptoswift to OpenSSL.................................. Chapter 3 Cryptoswift Migration Back-Out Procedure.................... Appendix A SSL Accelerator Support Matrix........................... Index........................................................... 5 5 5 5 6 6 7 9 11 11 12 14 15 17 19 21 3

Contents 4

INTRODUCTION Who Should Read This Guide This book is intended for administrators of Data Center Real User Monitoring who want to migrate away from Cswift. Related Publications Documentation for your product is distributed on the product media. For DCRUM, it is located in the \Documentation directory. It can also be accessed from the Media Browser. You can also access online documentation for Compuware products via our FrontLine support site at http://go.compuware.com. FrontLine provides fast access to information about your Compuware products. You can download documentation and FAQs as well as browse, ask questions and get answers on user forums (requires subscription). The first time you access FrontLine, you are required to register and obtain a password. Registration is free. PDF files can be viewed with Adobe Reader, version 7 or later. If you do not have the Reader application installed, you can download the setup file from the Adobe Web site at http://www.adobe.com/downloads/. Organization of This Guide This guide is organized as follows: Migration Overview [p. 9] contains overview of migration process. Migration from Cryptoswift [p. 11] lists migration procedures for specific replacement accelerator. Cryptoswift Migration Back-Out Procedure [p. 17] contains a procedure of reinstalling Cryptoswift and restoring its configuration. 5

Introduction Accessing Customer Support Corporate Web Site To access Compuware's site on the Web, go to http://www.compuware.com. The Compuware site provides a variety of product and support information. FrontLine Support Web Site You can access online customer support for Compuware products via our FrontLine support site at http://go.compuware.com. FrontLine provides fast access to critical information about your Compuware products. You can read or download documentation, frequently asked questions, and product fixes, or e-mail your questions or comments. The first time you access FrontLine, you are required to register and obtain a password. Registration is free. Contact Us The contact information to all local Compuware offices is provided on the http://go.compuware.com Web site. All high-priority issues should be reported by phone. Reporting a Problem When contacting APM Customer Support, please provide as much information as possible about your environment and the circumstances that led to the difficulty. You should be ready to provide: Client number. This number is assigned to you by Compuware and is recorded on your sales contract. The version number of the AMD, report servers, and RUM Console with RUM Console Server. Report Server Use the report server GUI by selecting Help Product Information About, or Tools Diagnostics System Status. AMD Scroll down to the Testing AMD section. At the bottom of the diagnostic data paragraph, look for Version ND-RTM v. ndw.ww.x.y.zz. RUM Console and RUM Console Server Use the RUM Console GUI by selecting Help About menu item. TCAM Use the TCAM GUI by selecting Help About menu item. Environment information, such as the operating system and release (including service pack level) on which the product (AMD, report server) is installed, memory, hardware/network specifications, and the names and releases of other applications that were running. Problem description, including screen captures. 6

Introduction Exact error messages, if any (screen captures recommended). Whether or not the problem is reproducible. If it is, include a sequence of steps for problem recreation. If it is not, include a description of the actions taken before the problem occurred. A description of the actions that may have been taken to recover from the problem, and their results. Information from the TCAM System Event log of the machine where the TCAM is operating. TCAM logs which by default are stored in C:\ProgramData\Compuware\VTCAM for Windows Server 2008 and C:\Documents and Settings\All Users\Compuware\VTCAM for Windows Server 2003. NOTE Please compress all the files before sending them to Customer Support. Compuware values your comments and suggestions about the Compuware APM products and documentation. Your feedback is very important to us. If you have questions or suggestions for improvement, please let us know. Documentation Conventions The following font conventions are used throughout documentation: This font Bold Citation Documentation Conventions [p. 7] Fixed width Fixed width bold Fixed width italic Menu Item Screen Indicates Terms, commands, and references to names of screen controls and user interface elements. Emphasized text, inline citations, titles of external books or articles. Links to Internet resources and linked references to titles in Compuware documentation. Cited contents of text files, inline examples of code, command line inputs or system outputs. Also file and path names. User input in console commands. Place holders for values of strings, for example as in the command: cd directory_name Menu items. Text screen shots. Code block Blocks of code or fragments of text files. 7

Introduction 8

CHAPTER 1 Migration Overview SafeNet, the manufacturer and vendor of Cryptoswift SSL accelerator, has announced the end of life for this product. Therefore, Compuware customers who use this card and who want to use SSL hardware acceleration and get support for AMD release 11.5 or higher should migrate to a replacement SSL accelerator. 1. Backing up the existing AMD configuration. This preparatory step is required for a back-out procedure. For more information, see Backing Up AMD Configuration in the Data Center Real User Monitoring Administration Guide. 2. Obtaining current RSA keys and converting them to PEM format. Cryptoswift cards do not allow exporting previously imported private RSA keys to a file. Therefore, Web server administrators must retrieve private RSA keys from Web servers. For more information, see Extracting Web Server Private SSL Keys in the Data Center Real User Monitoring SSL Monitoring Administration Guide. 3. Choosing an appropriate replacement SSL accelerator. a. Verify which SSL accelerator will work with your hardware. Compuware supports several SSL accelerators from various vendors. Refer to Tested Cards in the Data Center Real User Monitoring Hardware Recommendations for a hardware compatibility matrix. b. Verify which SSL accelerator will work with the software release currently installed on your AMD. For more information, see SSL Accelerator Support Matrix [p. 19]. 4. Installing the new accelerator and software support on the AMD. Depending on your choice, obtain an appropriate software upgrade package and apply the migration procedure accordingly. Upgrade packages with support for your new SSL accelerator are published on FrontLine. 9

Chapter 1 Migration Overview What to Do Next If a newly installed SSL accelerator does not work properly or does not meet your expectations, you can use the backup from Step 1 [p. 9] to restore the configuration that worked with your Cryptoswift card. For more information, see Cryptoswift Migration Back-Out Procedure [p. 17]. 10

CHAPTER 2 Migration from Cryptoswift Migration procedures vary depending upon replacement choice. Follow the migration procedure that applies to your new SSL accelerator. Cavium NITROX XL FIPS (RoHS) See, Migration from Cryptoswift to Cavium NITROX XL FIPS (RoHS) [p. 11] ncipher nfast or nshield (RoHS) See, Migration from Cryptoswift to ncipher nfast or nshield (RoHS) [p. 12] Sun Crypto Accelerator 6000 Board (RoHS) See, Migration from Cryptoswift to Sun Crypto Accelerator 6000 Board (RoHS) [p. 14] OpenSSL See, Migration from Cryptoswift to OpenSSL [p. 15] Migration from Cryptoswift to Cavium NITROX XL FIPS (RoHS) To perform migration from Cryptoswift to Cavium NITROX XL FIPS (RoHS), you must replace the card, install the software, and perform some configuration. 1. Power off the AMD. 2. Replace the legacy Cryptoswift accelerator with your new replacement card. 3. Power on the AMD and wait until it boots up and starts the monitoring software. 4. Log in as root. 5. Stop the monitoring software with the ndstop command. 6. Install a software package with support for NITROX cards. For example, at the command prompt execute the following commands: chmod 755 upgrade-amd_nitroxfips-amdos5-i386-ndw-10-xx-yyy-b001.bin./upgrade-amd_nitroxfips-amdos5-i386-ndw-10-xx-yyy-b001.bin where xx stands for the major release number, yyy for minor release number, and 001 stands for the build number. If you still use Compuware OS version 3.6, replace the phrase amdos5 with amdos3.6. 11

Chapter 2 Migration from Cryptoswift 7. Configure the SSL accelerator and upload private RSA keys to the card. For more information, see Installing and Configuring NITROX XL FIPS Acceleration Board in the Data Center Real User Monitoring SSL Monitoring Administration Guide. Remember to list all of the keys stored in the card and to record the IDs (hexadecimal codes) of the keys. 8. Update the /usr/adlex/config/keys/keylist file. The file should contain the list of all uploaded private RSA keys in the following form: token, 0x7, private key for MyServer1 token, 0x8, private key for MyServer2 9. Update the /usr/adlex/config/config/rtm.config file. Replace the ssl.engine=cswift line with ssl.engine=nitroxfips. 10. Start the monitoring processes by executing the ndstart command. 11. Verify that reconfiguration was successful and SSL decryption is working properly. a. From the rcon console, run the SHOW SSLDECR STATUS command. b. Verify that the engine listed as being used is the same as the setting you have entered in rtm.config. c. Verify that the keys were successfully loaded. d. Verify that SSL decryption is progressing successfully. Example 1. Verifying the status of SSL decryption # rcon >$ SHOW SSLDECR STATUS SSL DECRYPTION STATUS: CONFIGURATION: Engine:<engine_name> status:ok Keys: recognized=3 not recognized=0 SESSIONS:... Finished sessions decrypted with no errors=524 (7% of all finished sessions) Sessions in progress decrypting with no errors=2774 (9% of all sessions in progress) Finished sessions decrypted partially=187... Migration from Cryptoswift to ncipher nfast or nshield (RoHS) To perform migration from Cryptoswift to ncipher nfast or nshield (RoHS), you must replace the card, install the software, and perform some configuration. 1. Power off the AMD. 2. Replace the legacy Cryptoswift accelerator with your new replacement card. 3. Power on the AMD and wait until it boots up and starts the monitoring software. 4. Log in as root. 5. Stop the monitoring software with the ndstop command. 6. Install a software package with support for ncipher cards. 12

Chapter 2 Migration from Cryptoswift For example, at the command prompt execute the following commands: chmod 755 upgrade-amd_ncipher-amdos5-i386-ndw-10-xx-yyy-b001.bin./upgrade-amd_ncipher-amdos5-i386-ndw-10-xx-yyy-b001.bin where xx stands for major release number, yyy for minor release number, and 001 stands for the build number. If you still use Compuware OS version 3.6, replace the phrase amdos5 with amdos3.6. 7. Configure the SSL accelerator and upload private RSA keys to the card. For more information, see Installing and Configuring an ncipher SSL Card on a 32-bit AMD in the Data Center Real User Monitoring SSL Monitoring Administration Guide. 8. Update the /usr/adlex/config/keys/keylist file. Use a text editor to edit the list file as a plain text file. The file should be located in the directory specified in the server.key.dir configuration property and named as specified in the server.key.list configuration property. Each line should describe a single key and be composed of the following fields. Note that the square brackets ( [ ] ) imply that the given item is optional, and the brackets themselves should not be included in the actual entry. key_type, [app_name:]key_identifier[, comment] where: key_type specifies whether the private key is contained in a PEM-encoded file or in a hardware accelerator token: file token key_type value file means that the private key is stored in a PEM-encoded file (possibly encrypted). key_type value token means that the private key is stored in a hardware accelerator. app_name is the application name within the ncipher context. NOTE Specify this field only for ncipher cards, and only in the case of files stored on the accelerator card. For other accelerator cards, or for files stored in PEM-encoded files, leave this field empty and do not include the colon in the syntax. key_identifier identifies the key: For keys stored in files, it is the name of the PEM-encoded file that contains an RSA private key. For keys stored on the accelerator card, it is the key identifier as given by the utilities that list keys. The comment part in square brackets [ ] is an optional comment describing the entry in the line. 13

Chapter 2 Migration from Cryptoswift Example 2. For nshield token, simple:key_ident1, private key for MyServer1 token, simple:key_ident2, private key for MyServer2 Example 3. For nfast file, privatekey1.pem, private key for MyServer1 file, privatekey2.pem, private key for MyServer2 9. Update the /usr/adlex/config/config/rtm.config file. Replace the ssl.engine=cswift line with the following: For nfast: ssl.engine=nfast For nshield: ssl.engine=nshield 10. Start the monitoring processes by executing the ndstart command. 11. Verify that reconfiguration was successful and SSL decryption is working properly. a. From the rcon console, run the SHOW SSLDECR STATUS command. b. Verify that the engine listed as being used is the same as the setting you have entered in rtm.config. c. Verify that the keys were successfully loaded. d. Verify that SSL decryption is progressing successfully. Example 4. Verifying the status of SSL decryption # rcon >$ SHOW SSLDECR STATUS SSL DECRYPTION STATUS: CONFIGURATION: Engine:<engine_name> status:ok Keys: recognized=3 not recognized=0 SESSIONS:... Finished sessions decrypted with no errors=524 (7% of all finished sessions) Sessions in progress decrypting with no errors=2774 (9% of all sessions in progress) Finished sessions decrypted partially=187... Migration from Cryptoswift to Sun Crypto Accelerator 6000 Board (RoHS) To perform migration from Cryptoswift to Sun Crypto Accelerator 6000 Board (RoHS), you must replace the card, install the software, and perform some configuration. Before You Begin To migrate to Sun Cryptoswift 6000 card, you must have Red Hat Enterprise Linux 5 installed on your AMD; the card does not work with Compuware OS 3.6. For more information, see Installing AMD Operating System in the Data Center Real User Monitoring Agentless Monitoring Device Installation Guide. You can also refer to a technical notice posted on FrontLine. 1. Power off the AMD. 2. Replace the legacy Cryptoswift accelerator with your new replacement card. 14

Chapter 2 Migration from Cryptoswift 3. Power on the AMD and wait until it boots up and starts the monitoring software. 4. Log in as root. 5. Stop the monitoring software with the ndstop command. 6. Install a software package with support for Crypto Accelerator 6000. For example, at the command prompt execute the following commands: chmod 755 upgrade-amd_sca-amdos5-i386-ndw-10-xx-yyy-b001.bin./upgrade-amd_sca-amdos5-i386-ndw-10-xx-yyy-b001.bin 7. Configure the SSL accelerator and upload private RSA keys to the card. For more information, see Installing and Configuring Sun Crypto Accelerator 6000 PCIe Card in the Data Center Real User Monitoring SSL Monitoring Administration Guide. 8. Update the /usr/adlex/config/keys/keylist file. The file should contain the list of all uploaded private RSA keys in the following form: token,0x1,private key for MyServer1 token,0x2,private key for MyServer2 9. Update the /usr/adlex/config/config/rtm.config file. Replace the ssl.engine=cswift line with ssl.engine=sca6000. 10. Start the monitoring processes by executing the ndstart command. 11. Verify that reconfiguration was successful and SSL decryption is working properly. a. From the rcon console, run the SHOW SSLDECR STATUS command. b. Verify that the engine listed as being used is the same as the setting you have entered in rtm.config. c. Verify that the keys were successfully loaded. d. Verify that SSL decryption is progressing successfully. Example 5. Verifying the status of SSL decryption # rcon >$ SHOW SSLDECR STATUS SSL DECRYPTION STATUS: CONFIGURATION: Engine:<engine_name> status:ok Keys: recognized=3 not recognized=0 SESSIONS:... Finished sessions decrypted with no errors=524 (7% of all finished sessions) Sessions in progress decrypting with no errors=2774 (9% of all sessions in progress) Finished sessions decrypted partially=187... Migration from Cryptoswift to OpenSSL To perform migration from Cryptoswift to OpenSSL, you must install the software and perform some configuration. OpenSSL is software-based support for SSL traffic. Note that the performance of OpenSSL is significantly lower than that of any hardware-based accelerator. 1. Power on the AMD and wait until it boots up and starts the monitoring software. 2. Log in as root. 15

Chapter 2 Migration from Cryptoswift 3. Upload RSA private keys (PEM encoded) to the /usr/adlex/config/keys directory. 4. Stop the monitoring software with the ndstop command. 5. Update the /usr/adlex/config/keys/keylist file. Use a text editor to edit the list file as a plain text file. The file should be located in the directory specified in the server.key.dir configuration property and named as specified in the server.key.list configuration property. Each line should describe a single key and be composed of the following fields. Note that the square brackets ( [ ] ) imply that the given item is optional, and the brackets themselves should not be included in the actual entry. key_type, [app_name:]key_identifier[, comment] where, for OpenSSL: key_type should be specified as file, signifying that the private key is contained in a PEM-encoded file. app_name is not entered for OpenSSL, so leave this field empty and do not include the colon in the syntax. key_identifier identifies the key: For keys stored in files, it is the name of the PEM-encoded file that contains an RSA private key. The comment part optional. Example 6. Example entries in the list file file, privatekey1.pem, private key for MyServer1 file, privatekey2.pem, private key for MyServer2 6. Update the /usr/adlex/config/config/rtm.config file. Replace the ssl.engine=cswift line with ssl.engine=openssl. 7. Start the monitoring processes by executing the ndstart command. 8. Verify that reconfiguration was successful and SSL decryption is working properly. a. From the rcon console, run the SHOW SSLDECR STATUS command. b. Verify that the engine listed as being used is the same as the setting you have entered in rtm.config. c. Verify that the keys were successfully loaded. d. Verify that SSL decryption is progressing successfully. Example 7. Verifying the status of SSL decryption # rcon >$ SHOW SSLDECR STATUS SSL DECRYPTION STATUS: CONFIGURATION: Engine:<engine_name> status:ok Keys: recognized=3 not recognized=0 SESSIONS:... Finished sessions decrypted with no errors=524 (7% of all finished sessions) Sessions in progress decrypting with no errors=2774 (9% of all sessions in progress) Finished sessions decrypted partially=187... 16

CHAPTER 3 Cryptoswift Migration Back-Out Procedure If a newly installed SSL accelerator does not work properly or does not meet your expectations, you can reinstall Cryptoswift and restore its configuration. Before You Begin It is assumed that you backed up the configuration of the AMD before you conducted the migration procedure. For more information, see Backing Up AMD Configuration in the Data Center Real User Monitoring Administration Guide. 1. Stop the monitoring processes on the AMD. Log in as root and execute the ndstop command. 2. Uninstall the previously installed module for non-cryptoswift accelerator card. For an ncipher card, execute the rpm -e ncipher command. For a Cavium card, execute the rpm -e nitrox_fips command. For a Sun Crypto card, execute the following three commands: rpm -e sun-sca6000*, rpm -e sun-nss and rpm -e sun-nspr. 3. Power off the AMD. 4. Replace the newly installed accelerator card with your old Cryptoswift card. 5. Power on the AMD. 6. Stop the monitoring processes. Log in as root and execute the ndstop command. 7. Restore the /usr/adlex/config/keylist file from your previously made backup. 8. Edit the /usr/adlex/config/rtm.config file. Replace the ssl.engine=new_accelerator line with ssl.engine=cswift 9. Run the cs-install utility program and log in to the Cryptoswift card. 10. Start the monitoring processes by executing the ndstart command. 11. Verify that reconfiguration was successful and SSL decryption is working properly. a. From the rcon console, run the SHOW SSLDECR STATUS command. 17

Chapter 3 Cryptoswift Migration Back-Out Procedure b. Verify that the engine listed as being used is the same as the setting you have entered in rtm.config. c. Verify that the keys were successfully loaded. d. Verify that SSL decryption is progressing successfully. Example 8. Verifying the status of SSL decryption # rcon >$ SHOW SSLDECR STATUS SSL DECRYPTION STATUS: CONFIGURATION: Engine:<engine_name> status:ok Keys: recognized=3 not recognized=0 SESSIONS:... Finished sessions decrypted with no errors=524 (7% of all finished sessions) Sessions in progress decrypting with no errors=2774 (9% of all sessions in progress) Finished sessions decrypted partially=187... 18

APPENDIX A SSL Accelerator Support Matrix Not every SSL accelerator type is supported by all DCRUM releases. Use the following matrix to determine which SSL accelerator type is supported by your DCRUM installation. Table 1. SSL accelerators supported by each DCRUM release SSL accelerator type Cavium NITROX XL FIPS ncipher nshield 2000 F2 ncipher nshield 6000e F3 ncipher nfast OpenSSL (software only) DCRUM release support 10.0 SP1 or higher 10.2 or higher 11.0 or higher 10.2 or higher 10.0 or higher Notes 32-bit AMD only 32-bit and 64-bit AMD 32-bit and 64-bit AMD 32-bit AMD only The ncipher nfast card has no RSA private key storage capabilities. This means it only accelerates SSL decoding, but the Web server private keys must be stored in files on a local disk on the AMD. 32-bit and 64-bit AMD The OpenSSL decryption engine is available out of the box on any AMD. The disadvantage of using the openssl engine is that the private keys must be stored in files on a local disk on the AMD, though the keys can be password protected. Sun Crypto Accelerator 10.3 or higher 32-bit and 64-bit AMD 6000 The Sun Crypto 6000 card is supported only on Red Hat Enterprise Linux 5 and does not work with Compuware OS 3.6. Customers replacing a Cryptoswift card with a Sun Crypto 6000 need to purchase a license for Red Hat Enterprise Linux 5 19

Appendix A SSL Accelerator Support Matrix Table 1. SSL accelerators supported by each DCRUM release (continued) SSL accelerator type DCRUM release support Notes first. For more information, refer to the article posted on FrontLine and to Installing AMD Operating System in the Data Center Real User Monitoring Agentless Monitoring Device Installation Guide. 20

Index Index C compatibility information 19 SSL 19 Cryptoswift 17 back-out procedure 17 E extracting SSL keys 9 H hardware setup verification 9 M migration 9, 11 12, 14 15 Cavium 11 ncipher 12 OpenSSL 15 preparatory steps 9 Sun Crypto 14 O OS information verification 9 S SSL 19 compatibility information 19 21

Index 22