How APM CE (CEM) SSL private keys are protected on the TIM and TIM Collector

book

Article ID: 19330

calendar_today

Updated On:

Products

APP PERF MANAGEMENT CA Application Performance Management Agent (APM / Wily / Introscope) CUSTOMER EXPERIENCE MANAGER INTROSCOPE

Issue/Introduction

The following process is used to implement private keys:

  1. The SSL private keys are uploaded to the TIM Collector using an HTTP/HTTPS connection to the administrative APM CE UI.
  2. The TIM Collector forwards these immediately without storing them to each enabled TIM.
  3. The TIM Collector encrypts the keys using 128-bit Advanced Encryption Standard (AES) and sends them over an HTTP(S) connection, encrypting the key again for the SSL connection if configured.
  4. The AES encryption key is not stored as a data file. It is hard-coded into the TIM and TIM Collector.
  5. Each TIM encrypts the key again using 256-bit AES, with a different key that is hard-coded into the TIM. The encrypted result is stored in the directory /etc/wily/cem/tim/config/webservers with a filename of the form 10.10.10.10-10.10.10.10~80.xml-enc.

Environment

Release:
Component: APMCM