8 Replies Latest reply: Apr 26, 2012 7:02 PM by EP NameToUpdate RSS

TMART How you deal with Secured (https) websites

EP NameToUpdate

Dear All,

 

Would like to get some advises here about tmart workbench recording especially while dealing with https.

 

Understand that most of application nowdays are mostly use https (internal/external), and we able to import security cert with private key to workbench. But is it always necessary to import? Or actually we can skip this part and just continue recording with those certificate warning?

 

Another thing, how about those web sites which is in public (eg. yahoo mail, gmail, hotmail, etc). We can't get the required ceritificate by just exporting from browser (CMIIW). So wondering what kind of steps u guys taking when it comes to a similar requirements? (btw I'm talking about custom monitoring )

 

Or, i'm not really sure if this requirement actually too much? seem like I can't record gmail as it's always hung when I try to run it.

 

Would like to know how you handle this technically, or how do you handle your customer in this case.

 

Suggestions, jokes, and advises will be very appreciated.

 

Thanks in advance,

EP

 

ps:points will be provided here.

  • 1. Re: TMART How you deal with Secured (https) websites
    Xta

    I haven't had to deal with certificates & TM ART yet, so I can't help you there, but regarding the Gmail issues - it could be those embedded web analytics that Google uses, they don't really like monitors like the TM ART virtual user at all. I usually put

     

    WebSetDomainSuppress("google.com google-analytics.com googleadservices.com");

     

    at the start of my scripts, because many of our clients use those Google analytics services for getting information about visitors. Though using that of course makes monitoring a Google site a bit hard, heh...

  • 2. TMART How you deal with Secured (https) websites
    Hal DeVore

    EP,

     

    It is only necessary to import a certificate into the Workbench if the site you are recording requires client-side certificates.

     

    When you record a site that uses server-side certificates, you will (should!) get a warning from the browser you are using.  This is because, during the recording process only, the recorder is a "man in the middle" eavesdropping on the conversation between the browser and the web server.

     

    During recording the traffic that the browser sees is coming from the recorder and not from the destination website so the cert doesn't match the site the browser is seeing.  This is normal and only happens during recording as this is the only time there are three parties involved in the "conversation".

     

    --Hal

  • 3. TMART How you deal with Secured (https) websites
    EP NameToUpdate

    Hi Xta,

     

    Thanks for replying, yeah... gmail seems doesn't like monitor... Can't get it monitor using recorder till now. (

     

    lucky you don't have to deal with certificates. I'm really curious how other doing it. I dont see much KB in bmc support too...

     

    Cheers,

    EP

  • 4. TMART How you deal with Secured (https) websites
    EP NameToUpdate

    Hi Hal,

     

    Yes, yes. I can see a warning on each time the browser loads new page. A warning which ask us to chose an option to close the webpage or continue to the website.

     

    So on other words can i say that it's safe to just choose to continue whenever we see this warning and record everything as per normal?

     

    I just worry that this clicking this, the recorder will save this clicking activity and monitor will have problem in the long run. (Though I dont have proof yet on this)

     

    Thanks a lot,

    EP

  • 5. TMART How you deal with Secured (https) websites
    Hal DeVore

    EP,

     

    When recording Web Applications, the recorder does not see or record click actions, it only sees and records the protocol exchanges between the application being recorded (the browser) and the server that the application is talking to.

     

    The popup warning you are seeing is generated by the browser when it sees a mismatch between the domain where the certificate says the traffic should be coming from and where it is actually coming from.  From the browser's point of view during recording the traffic is coming from the recorder and not the correct site.  Since it is only a popup and not traffic, the recorder does not see it.

     

    --Hal

  • 6. Re: TMART How you deal with Secured (https) websites
    EP NameToUpdate

    Hi Hal,

     

    I've played around with the script for a while and i got it now...Thanks for the clear explanation. I tested it myself.

     

    My question here answered.

     

    As promised, I put the points to your answer.

     

    Hi Xta,

     

    Your inputs are helpful to me, I tested it and pretty usefull.

     

    Thanks, I put the helpful point to you.

     

    Thanks and Best Regards,

    EP

  • 7. TMART How you deal with Secured (https) websites
    Adam Wemlinger

    Just a note that when the browser initially calls the URL it is blocked and when you click continue it resubmits the call resulting in 2 recorded cals where there should only be one. I typically will start the recording at url "about:blank" so that I can then pause the recorder, enter the intended url, get security warning, start recording, contiinue to web site. This results in the recorder seeing only 1 call to the URL.Alternativly you can just add a note to the script before you click continue so that you know there is a duplicate function call right there.

  • 8. TMART How you deal with Secured (https) websites
    EP NameToUpdate

    Hi Adam,

     

    Thanks for the note!.

     

    Yes I noticed about that. But I just leave it so far as the impact wasn't so great.

     

    But after this I will follow your suggestion.

     

    Thank you again.


    EP