Here is a technique to intercept and decrypt the TLS (HTTPS) network traffic from the Infor Grid using Wireshark and the server’s private keys.
Why does it matter?
This technique is useful for troubleshooting products like M3 Web Services (MWS) and Infor Process Automation (IPA) which don’t log the HTTP requests and responses in their entirety. For instance, MWS Runtime can optionally dump the SOAP requests and SOAP responses but misses the HTTP request headers and HTTP response headers, and IPA only logs the HTTP response body but misses the HTTP request’s header and body and the HTTP response header, and neither MWS nor IPA let us hook to a proxy such as Fiddler. Sometimes it’s necessary to troubleshoot the HTTP requests and responses in their entirety. For example, I’m currently troubleshooting for a customer the case of a rogue white space somewhere in a request that’s throwing a syntax error down stream in a parser, and I need to chase the bug down by analyzing the hexadecimal values of the bytes, and for that I need un-encrypted traffic.
We could use Wireshark to intercept all network packets but if the traffic is encrypted with TLS (HTTPS) it’s unreadable. In public-key cryptography, a client and server initiate a TLS connection using asymmetric cryptography, and then switch to symmetric cryptography for the rest of the session. Fortunately, the Wireshark SSL dissector can decrypt traffic if we give it the server’s private keys. I had previously showed this technique a long time ago to decrypt Lawson Smart Office traffic and more recently to intercept un-encrypted IPA traffic. This time I update the technique for encrypted traffic of the Infor Grid.
Don’t get exited about hacking and don’t freak out about security because this technique is only available for those administrators that have access to the servers private keys and passwords.
Server’s private keys and passwords
First, we will need to find the Infor Grid’s private keys and passwords. I don’t do Grid installations so I don’t know where the keys are stored (if in the same path on any Grid, or if at a path defined by the installer), nor how the keys are generated (if automatically by the Grid, or if manually by the installer). In my case, I was testing on two different Grids and I found the keys in LifeCycle Manager (LCM) server at these two different paths:
This non-consistency tells me the path is defined by the installer.
The paths contain many files of type *.ks and *.pw. The KS file type is a keystore encrypted with a password. The PW file type is the password in clear text; it looks encrypted but it’s just long random clear text. In my second Grid, there were about 50 pairs of files where the file names seem to follow a specific naming convention. That tells me the keys and passwords are generated automatically by the Grid.
Export and convert the private key
Now that we have the keystores and the passwords, we need to export the private key from the keystore and convert it to a format supported by Wireshark. For that, we can use the keytool of the JRE to export and OpenSSL to convert, or use KeyStore Explorer that will both export and convert.
Here’s with the keytool (export to PKCS12) and OpenSSL (convert to PEM):
keytool -importkeystore -srckeystore mykeystore.ks -destkeystore myexportedkey.p12 -deststoretype PKCS12 openssl pkcs12 -in myexportedkey.p12 -out myexportedkey.pem -nocerts -nodes -passin file:mykeystore.pw
And here’s with the KeyStore Explorer (directly to PEM):
Now we have a file with —–BEGIN PRIVATE KEY—–:
Import the private key in Wireshark
Now we import the key in Wireshark > Edit > Preferences > Protocols > SSL and set the Infor Grid server’s IP address, port and private key (PEM):
Intercept and decrypt traffic
Now we are ready to intercept and decrypt traffic, for example we can go to the Grid Management Pages with HTTPS:
Then we filter for ssl, see the decrypted traffic, the key exchange, and Follow SSL Stream:
That was a technique to intercept and decrypt network traffic of the Infor Grid using Wireshark and the server’s private keys which is useful for troubleshooting purposes. This technique is only available to the administrators that have access to the servers.
If you know of a simpler technique please let me know.
That’s it. Please like, comment, subscribe, share. Thank you.
5 thoughts on “How to decrypt network traffic from Infor Grid”
UPDATE: Use the keystore
server.ksas incorrectly shown in one of the screenshots.
UPDATE: If I apply this technique when Wireshark is running on the server itself then Wireshark wrongly shows 0 bytes for the conversations. I don’t know if the problem is because Wireshark must run on the client and not on the server (illogical), or if it’s a lack of loopback adapter on the server (likely), or if it’s because the browser I’m using on the server uses Diffie-Hellman which is not decryptable (check with openssl s_client -connect host:port). To be continued…
UPDATE: I have more information regarding my setup and why sometimes traffic cannot be decrypted.
My setup: I imported the Infor Grid’s private key https.pem into my Wireshark RSA key list and I set the Infor Grid server’s IP address (for example 10.6.9.210), port number (for example 26108) and protocol http, as in the screenshot, then I run Wireshark on the client (for example on my laptop or on another server) next to my browser, and then I open an Infor Grid page over HTTPS in my browser (for example https://host:26108/grid/info.html), as in the screenshot. Wireshark will intercept the TLS traffic from my browser, I filter for ssl, I right-click Follow SSL stream, and Wireshark will decrypt the traffic using the server’s private key. That’s for the setup, and it works.
Unable to decrypt: Sometimes Wireshark will be unable to decrypt, and I found two scenarios, there may be more:
Note: I haven’t made a thorough review of any of what I’m writing. I’m just dumping my quick findings for my tests so I can remember next time, and so you can try for yourself.