Versions: 8.0+

Versions:4.3 - 6.3

QuerySurge versions 4.3 through 6.3 use Java 7, which defaults to TLS 1.0. Configuring the App Server, API, Agent, and Statsmon requires some additional steps outlined in this article. A pre-requisite for all the work below is ensuring QuerySurge is set up with HTTPS/SSL. Refer to the following link for the steps on how to do this: Configuring QuerySurge with HTTPS (6.1 and higher)

Note: This article pertains to QuerySurge versions 4.3 - 6.3. QuerySurge version 6.4 is a technology upgrade release which upgrades QuerySurge to Java 8. Java 8 defaults to TLSv1.2 so these steps are not required to run QuerySurge 6.4 and higher under TLSv1.2 (once QuerySurge has been set up for HTTPS/SSL).

Note: For all the following steps, the TLS version is set to TLSv1.2. If you're interested in lower levels (TLSv1.0, TLSv1.1), use the same approach with your chosen level.

QuerySurge Configuration Tasks

1. Take your QuerySurge Services Down

Once you have completed the preliminary tasks (i.e., configured HTTPS on your QuerySurge components, and have the proper rights to proceed), you'll need to take your QuerySurge services down (i.e., the QuerySurge App Server, your QuerySurge Agents, and all QuerySurge Statsmon services). Take the services down in the following order:

• QuerySurge Agent(s)
• QuerySurge Statsmon
• QuerySurgeTomcat
• QuerySurgeMySQL (optional in this situation, however the Statsmon service on the database needs to be stopped)

2. Configure the QuerySurge App Server to Use TLSv1.2

This modification is performed via the Java options to change the protocol to TLSv1.2.

Windows

If Tomcat is on Windows, navigate to C:/tomcat/bin and run QuerySurgeTomcatw.exe (you'll need elevated or Admin rights to do this). Click the Java tab and in the Java Options text box, add the following option on its own line:

-Dhttps.protocols=TLSv1.2

Your Java Options should look like this:

Note: Be sure to create a new line after your new entry.

Linux

If Tomcat is deployed on Linux, navigate to /<QuerySurge install dir>/tomcat/scripts. This directory has a file called ctl.sh. Make a backup copy of the ctl.sh file. Carefully edit ctl.sh in a text editor (ex. vi, emacs, nano), and locate the line that starts with:

 start_tomcat() {

In the line below that, after -XX:-UseSplitVerifier, add the following:

-Dhttps.protocols=TLSv1.2

Your file should look like this:

3. Configure the QuerySurge Agents to Use TLSv1.2

For each Agent machine you've configured for SSL/HTTPS, you'll need to modify the Java options to change the protocol to TLSv1.2.

Note: You'll need to repeat this setup for each QuerySurge Agent that you have deployed.

Windows

If your Agent is on Windows, open QuerySurgeAgentw.exe (you'll need elevated or Admin rights to do this). Click the Java tab, and in the Java Options text box, add the following option at the bottom:

-Dhttps.protocols=TLSv1.2

Your Java Options should look like this:

 

Note: Be sure to create a new line after your new entry.

Linux

If your agent is on Linux, navigate to /<QuerySurge install dir>/agent/. This directory has a file called ctl.sh. Make a backup copy of the ctl.sh file. Carefully edit ctl.sh in a text editor (ex. vi, emacs, nano), and locate the line that starts with:

 nohup nice

In the line below that, after -XX:-UseSplitVerifier, add the following code:

-Dhttps.protocols=TLSv1.2

Your file should look like this:

4. Configure the QuerySurge Statsmon services to Use TLSv1.2

For the Statsmon services, you'll need to modify the Java Options to change the protocol to TLS v1.2.

Note: All core QuerySurge services (i.e. the App Server, the Database and all Agents have an accompanying Statsmon service, for which this setup needs to be performed.

Windows

If your Statsmon is on Windows, open QuerySurgeStatsmonw.exe (you'll need elevated or Admin rights to do this). Click the Java tab and in the Java Options text box, add the following option at the bottom:

-Dhttps.protocols=TLSv1.2

Your Java Options should look like this:

 

Note: Be sure to create a new line after your new entry.

Linux

If your agent is on Linux, navigate to /<QuerySurge install dir>/statsmon/. This directory has a file called ctl.sh. Make a backup copy of the ctl.sh file. Edit ctl.sh in a text editor (ex. vi, emacs, nano), and locate the line that starts with:

 nohup nice

In the line below that, after -XX:-UseSplitVerifier, add the following code:

-Dhttps.protocols=TLSv1.2

Your file should look like this:

5. Re-start your QuerySurge Services

Start the services in the reverse of the order you stopped them:

• QuerySurgeMySQL (if shutdown, restart this first)
• QuerySurgeTomcat
• QuerySurge Statsmon
• QuerySurge Agent(s)

Your QuerySurge components should now be communicating by TLSv1.2. You should run basic checks (i.e. a test QueryPair) to make sure that the QuerySurge components behave as expected. You can verify that Statsmon is behaving correctly by checking that the QuerySurge Performance Report shows data.

6. The QuerySurge API

The QuerySurge API also must be set up to use TLSv1.2, as it connects directly to the QuerySurge App Server. We describe the setup separately, because the API is not a core QuerySurge component, and is not deployed as a service.

Windows

If your CLI API is on Windows, make a backup of the qscli.bat file (you'll need elevated or Admin rights to do this). Open the file in a text editor and after -XX:-UseSplitVerifier, add the following code:

-Dhttps.protocols=TLSv1.2

Your file should look like this:

Linux

If your CLI API is on Linux, navigate to /<QuerySurge install dir>/cli/. This directory has a file called qscli.sh. Make a backup copy of the qscli.sh file. Edit qscli.sh in a text editor (ex. vi, emacs, nano), and locate the line that contains:

 -XX:-UseSplitVerifier

Right after that, add the following code:

-Dhttps.protocols=TLSv1.2

Your file should look like this:

Note: You'll need to repeat this setup wherever the QuerySurge API is deployed.