This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Tracing two way SSL handshake between api proxy and backend in On Prem

Posted on 12-14-2016 04:42 AM
Not applicable
Reply posted on --/--/---- --:-- AM

We have configured our API proxy to perform a two way SSL(client auth enabled) handshake with the backend systems.

We would like to trace the handshake being performed for the performance analysis. We have no access to the MP logs as of now, but can we get a detailed trace from there?

Solved Solved
1 4 1,257
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
hari_vr
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hello!

So what you will need to do is to check the system.log in the MessageProcessor box as @Dino mentioned. These logs are located at <installation root>/apigee4/var/log/apigee/message-processor/logs/system.log.

By default, these logs are in INFO mode. You will need to create a Debug trace session to see detailed logs. Check this link for more details.

View solution in original post

Jump to Solution
4 REPLIES 4

Posted on --/--/---- --:-- AM
DChiesa
Staff
Reply posted on --/--/---- --:-- AM

In a recent example, I was able to see the correct SSL Handshake just by using the Trace UI. It's more of a binary though: If it cannot connect, you will clearly see that. If it does connect, you will get an HTTP status response.

What you cannot tell is the reason for the handshake failure, if it occurs. It won't tell you things like "certificate is expired" or "CN does not match the name on the cert" or etc. But I guess you can sort that stuff out with command line tools like openssl, outside the scope of the API Proxy.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to DChiesa
Reply posted on --/--/---- --:-- AM

@DinoThanks for the response.

The handshake was working and I am able to view it in the trace. As pointed out by you, we cant view the cause of a handshake failure. However, I am looking for a detailed tracing similar to the one we enable in Curl. eg shown below :

13:49:47.031000 * Adding handle: conn: 0x21881c0

13:49:47.031000 * Adding handle: send: 0

13:49:47.031000 * Adding handle: recv: 0

13:49:47.031000 * Curl_addHandleToPipeline: length: 1

13:49:47.031000 * - Conn 0 (0x21881c0) send_pipe: 1, recv_pipe: 0

13:49:47.046000 * About to connect() to ******

.com port 443 (#0)

13:49:47.046000 * Trying 185.5.121.147...

13:49:47.218000 * Connected to ****** (10.10.10.100) port 443 (#0)

13:49:47.406000 * SSLv3, TLS handshake, Client hello (1):

13:49:47.578000 * SSLv3, TLS handshake, Server hello (2):

13:49:47.578000 * SSLv3, TLS handshake, CERT (11):

13:49:47.578000 * SSLv3, TLS handshake, Server key exchange (12):

We were running some load test and wanted to evaluate the number of times the handshake was performed.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
DChiesa
Staff
In response to
Reply posted on --/--/---- --:-- AM

Ah, I See.

For that, you will need the MP logs.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
hari_vr
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hello!

So what you will need to do is to check the system.log in the MessageProcessor box as @Dino mentioned. These logs are located at <installation root>/apigee4/var/log/apigee/message-processor/logs/system.log.

By default, these logs are in INFO mode. You will need to create a Debug trace session to see detailed logs. Check this link for more details.

Jump to Solution