The .NET Agent can only connect to the Enterprise Manager (EM) over SSL by tunneling through the HTTPS port of the Enterprise Manager (EM) Web Server, but what are the steps to achieve this.

book

Article ID: 37728

calendar_today

Updated On:

Products

APP PERF MANAGEMENT CA Application Performance Management Agent (APM / Wily / Introscope) CUSTOMER EXPERIENCE MANAGER INTROSCOPE

Issue/Introduction

Question:

The .NET Agent can only connect to the Enterprise Manager (EM) over SSL by tunneling through the HTTPS port of the Enterprise Manager (EM) Web Server, but what are the steps to achieve this?

 

Answer:

In this example a self-signed certificate will be created and used in the agent-EM SSL handshake.

1. Use the Java keytool utility to create a new keystore file containing a self-signed certificate (PrivateKeyEntry) with alias myhost e.g.

EM_HOME\jre\bin\keytool -genkey -alias myhost -keyalg RSA -keysize 2048 -validity 365 -keypass password -keystore keystore -storepass password 

NOTES:

If using APM version prior to 10.x the alias name must be wily as there is no support in the em-jetty-config.xml to use the new certAlias property

When prompted for values set the CN value set to the FQDN of the server hosting the EM e.g. myhost.ca.com

 

2. Export the public key for the new certificate from the keystore e.g.

EM_HOME\jre\bin\keytool -export -alias myhost -keystore keystore -file myhost.crt

 

3. Transfer myhost.crt to agent machine & import it into the Trusted Root Certification Authorities using the Windows Certification Manager (CERTMGR.MSC)

NOTE: Import it into the Certificates for the 'Local Computer' rather than 'Current User' otherwise ASP.NET will not pick it up and the agent-EM connection will fail with an error:

System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure. 

Useful Reference: Troubleshooting ASP.NET - The remote certificate is invalid according to the validation procedure

 

4. Enable the EM secure Web Server per the usual steps by enabling this line in the IntroscopeEnterpriseManager.properties file

introscope.enterprisemanager.webserver.jetty.configurationFile=em-jetty-config.xml

 

5. Edit the em-jetty-config.xml file to use the new keystore file in its SSL connector (default port 8444) and modify certAlias if using APM 10.x with an alias different to wily. Then start the EM.

 

6. In the IntroscopeAgent.profile file:

Comment out these lines to be as follows:

#introscope.agent.enterprisemanager.transport.tcp.host.DEFAULT=localhost

#introscope.agent.enterprisemanager.transport.tcp.port.DEFAULT=5001

#introscope.agent.enterprisemanager.transport.tcp.socketfactory.DEFAULT=com.wily.isengard.postofficehub.link.net.DefaultSocketFactory

Uncomment/edit these lines to be as follows:

introscope.agent.enterprisemanager.transport.tcp.host.DEFAULT=myhost.ca.com

introscope.agent.enterprisemanager.transport.tcp.port.DEFAULT=8444

introscope.agent.enterprisemanager.transport.tcp.socketfactory.DEFAULT=com.wily.isengard.postofficehub.link.net.HttpsTunnelingSocketFactory

 

7. Start the agent and it should connect successfully to the EM via the HTTPS tunneling e.g. Perfmon Collector Agent log example:

[INFO] [IntroscopeAgent.IsengardServerConnectionManager] Connected controllable Agent to the Introscope Enterprise Manager at WILLY03-E7440B.ca.com:8081,com.wily.isengard.postofficehub.link.net.HttpsTunnelingSocketFactory. Host = "WILLY03-E7440B", Process = ".NET Process", Agent Name = "PerfMonCollectorAgent.exe", Active = "True". 

Environment

Release: CEMUGD00200-9.7-Introscope to CA Application-Performance Management-Upgrade Main
Component: