SSL monitoring

Monitoring of secure traffic requires more attention and preparation than monitoring of non-secure protocols. In addition, if the NAM Probe is to decrypt SSL traffic, it needs third-party components, such as hardware or software SSL accelerators, preconfigured to seamlessly work with Network Application Monitoring.

Before you begin

Before you start configuration process:

  • You should be familiar with NAM components and basic monitoring concepts.
  • You need to identify your monitoring goals.
  • You need to install the following NAM components:
    • The latest version of NAM Probe
    • The latest version of NAM Console
    • The latest version of NAM Server
    • Optionally: The latest version of ADS (DC RUM 2017)
  • Make sure you have prepared your RSA keys and documentation on your SSL accelerator.

Note: The tasks described below are for configuring SSL monitoring with decryption. If you want to monitor SSL traffic without decryption, see Monitoring SSL-encoded traffic without decryption.

  1. Prepare the RSA private keys for servers that are to be monitored.
    Apply the private keys in PEM format to the NAM Probe in order to decrypt secure sessions. For more information, see Configuring and using RSA private keys and Extracting Web Server Private SSL Keys.
  2. Select the mode of RSA key management on the NAM Probe.
    For more information, see Management of RSA private keys on NAM Probe.
  3. Install and configure a hardware SSL accelerator, if a hardware accelerator is to be used.
    In most deployments, hardware SSL accelerators are used because of performance reasons. However, there is an option to use a software alternative, OpenSSL. Depending on your SSL acceleration approach, refer to the topic appropriate for your hardware accelerator or use OpenSSL, the default cost-free SSL acceleration mode on the NAM Probe.
  4. Optional: Migrate from OpenSSL to an SSL hardware accelerator.
    While OpenSSL is a cost-free solution to SSL decryption, it may not be sufficient in terms of performance. When your secure traffic stream overwhelms the NAM Probe's software capabilities, consider deploying hardware SSL accelerators. For more information, see Migrating from OpenSSL to using SSL hardware accelerator.

Monitoring configuration

Set up software service monitoring. Monitoring SSL traffic requires that you select an appropriate analyzer while defining a software service. For example, if you want to monitor an HTTPS (secure HTTP) software service, and you comply with the previous configuration steps, select the “SSL Decrypted” analyzer for such a service. Apart from selecting the analyzer for your software service, you can also configure more advanced features of HTTP analysis, such as user recognition and URL parameter parsing. HTTPS, while the most dominant protocol in SSL monitoring, is not the only protocol that can be encrypted with SSL.

What to do next

If you see any issues while monitoring SSL traffic, consult the SSL-related FAQ to diagnose your problems before you contact Customer Support. For more information, see Troubleshooting SSL Monitoring Issues and SSL-Related rcon Commands.