Thursday, July 26, 2007

Configuring the HTTP Analyzer to record HTTPS traffic

One of the cool new feature we added to the HTTP Analyzer in 11 is the ability to monitor https traffic. This gives you the ability to see all of the crossing traffic in plain text. The configuration for this though is a mite complicated and didn't make it into the documentation for the Technology Preview so I thought that I should write it up here. To make things simple I am just going to look at try to sniff my password from; but the same principles apply when working with other HTTP traffic such as SOAP messages.

The first thing you need to do is to use the keytool command to create a server side key. For various security and legal reasons we can't ship a default keystore with the product; but it is fairly easily to create one yourself:

keytool -genkey -alias oracle-server -dname "CN=Gerard Davison, OU=HTTPAnalyzer O=Oracle L=Reading, S=Berkshire, C=UK" -keyalg RSA -keypass welcome -storepass welcome -keystore server.keystore

You then need to configure the HTTP Analyzer, bring up the preferences dialog and set this keystore for both the client and the server. You can of course use two separate keystores if you wish. This is more likely to be useful when working with web services rather than standard web traffic.

In this example I am going to look at using the HTTP Analyzer to look at traffic going to To do this I need to configure my web browser to use the analyzer as its proxy. This by default will be localhost with port 8099.

For the moment, although this is something I am working on, you also need to manually import any certificates for website you are going to visit. Some ideas on how your might go about this are in my previous blog entry on this topic. The snippet of java code appears to be the most reliable option. Update: Or you can use the root certificate keystore that comes with java with a workaround. He have made this much easier in more recent internal builds of JDeveloper.

Now start the HTTP Analyzer and try to log into using this proxy configuration. You will see a bunch of paranoid messages complaining about how the certificate is not right. This is normal and your should just accept the certificate for the session. (But it is a reminder of why you should never ignore these dialogs in the real world)

If you continue to log in the you should see that there is a bunch of requests, one of these will contain your username and password in plain text. (I am not going to show you a screen grab of this). You will also notice a whole bunch of error that relate to fetching images. This is because you need to import a certificate for each server you are talking to. In the case of images are served from "".

Being able to watch traffic in this way is very valuable tool when debugging interactions. AJAX services are really quite interesting to watch in this way. You can also record, replay and mock requests as you would un-encrypted traffic.

No comments: