HTTPS(PI_HTPS)
- Organization of this page
Function
The HTTPS (PI_HTPS) record stores information about HTTPS service response time. This is a multi-instance record.
Default and changeable values
Item |
Default value |
Changeable |
---|---|---|
Collection Interval |
360 |
Y |
Collection Offset |
0 |
Y |
Log |
No |
Y |
LOGIF |
(Blank) |
Y |
Over 10 Sec Collection Time |
No |
N |
ODBC key fields
PI_HTPS_MSR_COND_ID
Lifetime
None
Record size
-
Fixed part: 681 bytes
-
Variable part: 360 bytes
Fields
View name (Manager name) |
Description |
Summary rule |
Format |
Delta |
Data source |
---|---|---|---|---|---|
Data Transfer Time (DATA_TRANS_TIME) |
Data transfer time (seconds) ((7) in Figure 10-5) |
AVG |
double |
No |
Probe Daemon |
DNS Time (DNS_TIME) |
Data transfer time (seconds) ((4) in Figure 10-5) |
AVG |
double |
No |
Probe Daemon |
HTTP Time (HTTP_TIME) |
HTTP time (seconds) ((3) in Figure 10-5) |
AVG |
double |
No |
Probe Daemon |
Request Count (REQ_COUNT) |
Number of requests issued (count) |
AVG |
double |
No |
Probe Daemon |
Server Processing Time (SERV_PROCESS_TIME) |
Server processing time (seconds) ((6) in Figure 10-5) |
AVG |
double |
No |
Probe Daemon |
Setup Time (SETUP_TIME) |
Setup time (seconds) ((2) in Figure 10-5) |
AVG |
double |
No |
Probe Daemon |
TCP Connection Time (TCP_CON_TIME) |
TCP connection time (seconds), including the time required for establishing an SSL connection ((5) in Figure 10-5) |
AVG |
double |
No |
Probe Daemon |
Throughput (THROUGHPUT) |
Resource transfer throughput (bits/second). This is determined by the total size of resources and the data transfer time. |
AVG |
double |
No |
Probe Daemon |
Total Amount of Data (TOTAL_DATA_SIZE) |
The total amount of data transferred between the HTTPS probe and the measurement-target server via the TCP connection (bytes). For the data transferred via an SSL-protected connection, the total amount of text data is calculated. The amount of data associated with server authentication for establishing an SSL connection and the amount of data associated with an SSL handshake are not included. |
AVG |
double |
No |
Probe Daemon |
Total Resource Size (TOTAL_RES_SIZE) |
Size of acquired resources (bytes) |
AVG |
double |
No |
Probe Daemon |
Total Response Time (TOTAL_RESP_TIME) |
Total response time (seconds) ((1) in Figure 10-5) |
AVG |
double |
No |
Probe Daemon |
The following figure shows the HTTPS sequence.
HTTPS operating environment and notes
An HTTPS probe establishes an SSL-protected connection with the server that provides the target service. Then the HTTPS probe issues an HTTP request to the URL specified on the connection, uses the GET method to acquire the page or the POST method to register data, and measures the response time. Note that when the SSL connection is established, server authentication is performed to confirm that the connection target is a reliable HTTP server.
The following describes, and provides notes on, an HTTPS operating environment.
Web authentication
The Basic Authentication method is used.
Cookie
PFM - Agent for Service Response accepts cookies based on Netscape Communication's specifications. The information sent as a cookie from the HTTP server is stored in the Cookie file that is created for each measurement condition. The Cookie files remain undeleted even after measurement is completed. If measurement cannot be performed correctly due to a change made to the contents of a measurement condition, delete the Cookie file for that measurement condition, which can be identified by the measurement condition ID. The following is the naming convention for Cookie files:
cookies_<measurement-condition-ID>
Cookie files are stored in the following folder:
installation-folder\agtv\probe\probedata\http
Program execution
Plug-ins, JavaScripts, and applets are downloaded but not executed.
Depth
For example, specifying a depth of 2 acquires the pages displayed in the resources and frames that are embedded in the page at the specified URL. No linked pages are acquired. PFM - Agent for Service Response repeats the acquisition of resources and frames embedded in the acquired page or frame as many times as the specified value.
For the embedded resources and frames, PFM - Agent for Service Response analyzes the acquired HTML, and acquires the resources and frames that are specified by the value of the tag and attribute shown in the table below.
Tag name |
Attribute name |
---|---|
applet |
code |
frame |
src |
iframe |
src |
img |
src |
script |
src |
Note that PFM - Agent for Service Response cannot acquire resources or frames from HTML files that are returned after being compressed or transformed by commands such as gzip or compress. Moreover, PFM - Agent for Service Response cannot acquire resources or frames from HTML files that have any attributes other than those listed in the above table. Such attributes include the archive attribute of the <applet> tag, which specifies a compressed file as the value of an attribute name.
Use of proxy
If acquiring the Web page specified by the URL and the embedded resources and frames involves use of a proxy for only part of the acquisition target, measurement cannot be performed.
Cipher strength
The table below shows the encryption types supported by the HTTPS probe. You cannot access a page protected with unsupported cipher strength.
Cryptographic algorithm |
Key length |
---|---|
AES |
256,128 |
AESGCM |
256,128 |
Camellia |
256,128 |
DES |
56 |
IEDA |
128 |
RC4 |
128 |
3DES |
168 |
Hash algorithm that can be used for certificates
SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 and MD5 are supported as hash algorithms for certificate signatures and message digests. Use certificates that have been created by using one of the supported hash algorithms.
Server authentication
For server authentication, PFM - Agent for Service Response verifies the validity period of a server certificate sent from the HTTP server and confirms that the server certificate was issued from an authorized Certificate Authority. To verify the server certificate, the root certificate of either the Certificate Authority that issued the server certificate or its higher-level Certificate Authority is required. Because the root certificate has a validity period, you need to re-install the root certificate before it expires. If there is no root certificate or if the server certificate has expired, server authentication fails.
To install a root certificate, use the following procedure:
- Acquire a root certificate:
-
Export a PEM root certificate from a Web browser. The following shows an example using Internet Explorer 8.
-
Select Tools, Internet Options, and then click the Contents tab.
-
Click the Certificate button. Then, in the dialog box that opens, click the Trusted Root Certification Authorities tab.
-
In the list, select the root certificate of the Certificate Authority that issued the server certificate.
To check the Certificate Authority that issued the server certificate, open the monitoring target Web page in Internet Explorer, and then click the key icon on the status bar. Then look at the information on the Details page.
-
Click the Export button to start the certificate export wizard.
Specify the settings as instructed by the export wizard.
For the format of the exported file, select Base64 encoded X.509(.CER).
For the file name, enter c:\cacert.cer. The extension .cer is automatically added.
-
- Install the root certificate:
-
Change the extension of the exported root certificate (cacert.cer) to .pem, and then copy the file to installation-folder\agtv\probe\cert.
Note that the cacert.pem file can contain multiple root certificates. To add a root certificate to the existing cacert.pem file, use a text editor to copy the contents of the exported root certificate (from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----) to the cacert.pem file.
Client certificate
PFM - Agent for Service Response sends a client certificate to the HTTP server. The HTTP server then verifies the validity period and confirms that the client certificate was issued from an authorized Certificate Authority. The client certificate and the private key can be obtained in either of the following ways.
-
Obtained from a certification authority
-
Exported from the Internet Explorer used for accessing the monitoring-target Web site
The file containing the client certificate and private key must be stored under installation-folder\agtv\probe\cert. The file must be in Base64 encoded X.509 format. If the provided client certificate file is not in Base64 encoded X.509 format, use any tool to convert it to X.509 format.
The following shows how to export a client certificate and its private key by using Internet Explorer 8. Note that the client certificate to be exported must have been specified to allow export of the private key when they were imported to Internet Explorer.
-
Start Internet Explorer, and select Tools, and then Internet Options.
The Internet Options dialog box opens.
-
Select the Contents tab, and then click the Certificates button.
The Certificates dialog box opens.
-
Select the Personal tab.
The Personal page is displayed.
-
Select the client certificate to be exported, and then click Export.
The certificate export wizard starts. Export the certificate as instructed by the wizard.
For Export Private Key, select Yes, export the private key.
For the export file format, select Personal Information Exchange-PKCS#12(PFX).
Clear the Enable strong protection check box.
Enter any values for the password and file name.
-
Convert the certificate format from PKCS#12 to Base64-encoded X.509.
You can use any tool for conversion.
-
Store the exported file under installation-folder\agtv\probe\cert.
RFC compliance
-
RFC1866: Hypertext Markup Language - 2.0
-
RFC2616: Hypertext Transfer Protocol - HTTP/1.1
-
RFC2396: Uniform Resource Identifiers (URI): Generic Syntax
-
RFC2818 HTTP over TLS
For the functions that are not compliance with RFCs and the restrictions, see the above notes.