Effects on Application Performance

As you might expect, Contrast's analysis makes your application run a little slower. But, the time difference is usually minimal, and the results are definitely worth it.

Request Processing Time

It's more important to think about how Contrast affects the round-trip time. In typical applications, Contrast doubles the round-trip time for a request that contains a lot of business logic. Contrast only affects the CPU processing time of your application. Round-trip times for static resources don't get measurably worse in most cases. In many applications, a significant amount of time is spent waiting on databases and accessing remote resources. In requests where the total round-trip time is dominated by database or WebService calls, Contrast's effect is less noticeable.

Performance Tuning for Assess

If performance is crucial to your environment, consider the following options.

  • Ensure that the server meets the recommended system requirements and the server has enough free memory before the .NET agent is installed. (Ideally, applications should use less than half of the memory available when the Contrast .NET agent isn't installed.)
  • Run Contrast in Sampling mode, and change sampling frequency to be less frequent.
  • Change the stack trace configuration of Contrast to "Limited" or "Minimal".
  • Exclude some applications from instrumentation and analysis using Application Pool Filtering.
  • Run Contrast during nightly integration tests.
  • Run Contrast in an alternate environment (QA system or DEV environment).
  • Run Contrast on a single node in a load balanced environment.

While the options above should provide the biggest boost to performance, you can try the following steps to tune performance further.

  • Check that the agent's logging level is set to "Warn" or "Error".
  • Disable analysis that requires capturing the HTTP response through policy.

Contrast Connectivity

Issue

  • The .NET agent doesn't start successfully.
  • The Contrast Tray and/or .NET agent logs report errors when connecting to the Contrast application:

    Contrast .NET service failed to start. Contrast .NET cannot connect to TeamServer at: https://app.contrastsecurity.com. The remote name could not be resolved: app.contrastsecurity.com

  • Data from a server with the installed agent doesn't appear in the Contrast interface.

Solution

  • Open the .NET agent's configuration file, DotnetAgentService.exe.config, which is located in the agent's installation directory (i.e., C:/Program Files/Contrast .NET).

  • Verify that the TeamServerUrl value (e.g., https://app.contrastsecurity.com/Contrast) can be reached from a normal web browser on the server. If the URL can't be reached, you should review the network path and related settings between the server and the Contrast application.

  • Verify proxy settings. If a normal web browser can connect to Contrast but the agent can't, the agent might be missing the proxy settings required by your network environment. You can configure a proxy using the ProxyAuth, ProxyUser, ProxyPass and ProxyAddress values in the configuration file.

  • Verify that the API key is correct. If the above settings are correct, the API key used by your organization might have changed. Follow these directions to view your current API Key.

SSL Certificates

By default, the .NET framework doesn't allow SSL connections that can't be validated. If the .NET agent is attempting to connect to Contrast with a self-signed SSL certificate, it could give the following error message:

"The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."

There are two configuration changes that allow the .NET agent to connect to Contrast with a self-signed SSL certificate:

  • Install the self-signed certificate as a trusted certificate.
  • Configure the agent to ignore certificate errors.

Contrast only recommends that you use these solutions for testing purposes in a trusted environment. These changes could allow for man-in-the-middle attacks to intercept or modify data sent from the agent to Contrast.

Option One

  • Open Internet Explorer (IE) as an Administrator.
  • Navigate to your instance of the Contrast interface. If IE displays an error message, click Continue to this website (not recommended).
  • Click on the Certificate Error icon (next to the URL) > View Certificate > Details tab > Copy to File.
  • Export the certificate as a DER encoded binary X.509 (.CER).
  • Click Start, and then Start Search.
  • Type mmc and then press Enter.
  • On the File menu, click Add/Remove Snap-in.
  • Under Available snap-ins, click Certificates and then Add
  • Under This snap-in will always manage certificates for, click Computer account and then Next.
  • Click Local computer and then Finish.
  • If you have no more snap-ins to add to the console, click OK.
  • In the console tree, double-click Certificates
  • Right-click the Trusted Root Certification Authorities store.
  • Click Import to import the certificates.
  • Follow the steps in the Certificate Import Wizard using the certificate created in the previous steps.

Option Two

Alternatively, you can configure the agent to trust any certificate. You should only use this configuration for testing purposes or in trusted environments.

  • In a text editor, open -%SYSTEMDRIVE%\Program Files\Contrast\dotnet\DotnetAgentService.exe.config.
  • In the appSettings section, add the TeamServerValidateCert tag.

Example:

 <?xml version="1.0"?>
 <configuration>
  <appSettings>
  <add key="TeamServerUrl" value="*****************"/>
  <add key="TeamServerUserName" value="*******************"/>
  <add key="TeamServerApiKey" value="**************"/>
  <add key="TeamServerServiceKey" value="************"/>
  <add key="TeamServerValidateCert" value="false"/>

Get Agent Logs

In rare scenarios, bad instrumentation causes a web server process to crash or a specific page to error out. If you ever encounter a crash or error caused by Contrast, please report the error and file a bug report. If possible, follow the steps below to gather agent logs and process dumps; this additional information is vital to reproducing and fixing these types of bugs.

Agent Logs Directory

The .NET agent logs information to the Contrast\dotnet\LOGS directory within C:\ProgramData\Contrast\dotnet\LOGS, the Windows 2008/2012 ProgramData directory. Depending on the setup of the Windows profile and folder view settings, the directories may be hidden. If so, paste the paths into the Windows Explorer location; you may need to replace the drive letter C with D.

You can change which information is logged by changing the logging level in the .NET agent configuration.

Types of Bugs

There are two primary types of agent bugs for which Contrast needs to gather logs and other information:

  • Process Crash
  • Unhandled Managed Exception/Page Error/500

Process Crash Bugs

Verify that the web server process crashed

Check your scenario against the following indicators to confirm that the web server process crashed.

  • The web application is unresponsive after installing the .NET agent.

  • The Windows Event Log (Event Viewer > Windows Logs > Application) has Error entries for the ".NET Runtime" and "Application Error".

    • The ".NET Runtime" error has details such as:
     Application: w3wp.exe
     Framework Version: v4.0.30319
     Description: The process was terminated due to an internal error in the .NET Runtime at IP XXXXXXXXX with exit code YYYYYYY
    
    • The "Application Error" entry has details similar to:

      Faulting application name: w3wp.exe, version: 8.5.9600.16384, time stamp: 0x5215df96
      Faulting module name: clr.dll, version: 4.7.2114.0, time stamp: 0x59a63e48
      Exception code: 0xc0000005
      Fault offset: 0x00000000002ff61c
      Faulting process id: 0x3724
      Faulting application start time: 0x01d337d711f21e68
      Faulting application path: c:\windows\system32\inetsrv\w3wp.exe
      Faulting module path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
      Report Id: 4fc99650-a3ca-11e7-80e8-005056bd4248
      

Once you confirm that the observed bug is a process crash, you're ready to gather information to file a bug.

Gather information on the process crash

Complete the following steps to gather information to send to Contrast.

  • Set up the ProcDump utility to capture crash dump.
    • Download current version of ProcDump from the Microsoft documentation site to the Windows server with the agent.
    • From an administrator command prompt:
       md c:\dumps 
       procdump.exe -ma -i c:\dumps
      
    • Install the latest .NET agent.
    • Stop the .NET agent service.
    • Enable additional logging.
      • Start > Notepad > Right click > Run as Administrator
      • File > Open > C:\Program Files\Contrast\dotnet\DotnetAgentService.exe.config
      • Change ShouldLogMethodSignatures to true.
      • Uncomment the entry for LogLevel.
      • Check that the specified LogLevel value is trace.
    • Start the .NET agent service.
    • Exercise the application to reproduce the crash.

Once you've reproduced the crash, gather the following items and include them in your bug report:

  • Agent Logs: All files in the agent log directory, C:\ProgramData\Contrast\dotnet\LOGS; right click on the LOGS folder > Send To > Compressed (zip) folder.
  • Windows Event Log: Event Viewer > Windows Logs > Application > Save All Events As > "MyEvents.evtx"
  • Crash Dumps: Create a zip file of each w3wp process dump file in C:\dumps (e.g., w3wp.exe_171002_151601.dmp). Dump files can be quite large.

You can then uninstall ProcDump with C:>procdump.exe -u.

Unhandled Managed Exception or Page Error Bugs

Verify an unhandled exception

The above process also helps the .NET engineering team resolve issues such as application errors caused by the .NET agent. Use the following indicators to determine if the .NET agent is causing an application error.

  • You've observed the application working normally without the agent.

  • You've observed a page of the application "crashing" (returning a 500 error) under the agent.

  • There are no errors for ."NET Runtime" and "Application Error" in the Windows Event Log.

  • There may be warnings for "ASP.NET" in the Windows Event Log. The warning should look similar to the following:

     Source: ASP.NET 4.0.30319.0
     Date: 10/9/2017 9:22:46 AM
     Event ID: 1309
     Task Category: Web Event
     Level: Warning
     Keywords: Classic
     User: N/A
     Computer: FOO.COMPUTER.COM
     Description:
     Event code: 3005
     Event message: An unhandled exception has occurred.
     Event time: 09/10/2017 9:22:46 AM
     Event time (UTC): 09/10/2017 2:22:46 PM
     Event ID: f706787c1f1247e6a87b777a90413c3d
     Event sequence: 9
     Event occurrence: 1
     Event detail code: 0
     Application information:
     Application domain: /LM/W3SVC/1/ROOT/FOO-1-131520325424796488
     Trust level: Full
     Application Virtual Path: /Foo
     Application Path: E:\MCMSFiles\inetpub\wwwroot\Foo\
     Machine name: FOO
     Process information:
     Process ID: 176840
     Process name: w3wp.exe
     Account name: System
     Exception information:
     Exception type: ArgumentOutOfRangeException
     Exception message: Index was out of range. Must be non-negative and less than the size of the collection.
     Parameter name: index
     at System.Collections.ArrayList.get_Item(Int32 index)
     at System.Web.UI.WebControls.DataListItemCollection.get_Item(Int32 index)
     at Fabrikam.SetTabCount(Int32 index, NullableInt32 summaryCount) in C:\Foo\Fabrikam.aspx.cs:line 1686
     at Fabrikam.GetSummaryCounts() in C:\Foo\Fabrikam.aspx.cs:line 1468
     at Fabrikam.OnPreRender(EventArgs e) in C:\Foo\Fabrikam.aspx.cs:line 549
     at System.Web.UI.Control.PreRenderRecursiveInternal()
     at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
    
     Request information:
     Request URL: https://www.foo-staging.com/Foo/Fabrikam.aspx
     Request path: /Foo/Fabrikam.aspx
     User host address: 1.2.3.4
     User: msteeber
     Is authenticated: True
     Authentication Type: 
     Thread account name: System
    
     Thread information:
     Thread ID: 19
     Thread account name: System
     Is impersonating: False
     Stack trace: at System.Collections.ArrayList.get_Item(Int32 index)
     at System.Web.UI.WebControls.DataListItemCollection.get_Item(Int32 index)
     at Fabrikam.SetTabCount(Int32 index, NullableInt32 summaryCount) in C:\Foo\Fabrikam.aspx.cs:line 1686
     at Fabrikam.GetSummaryCounts() in C:\Foo\Fabrikam.aspx.cs:line 1468
     at Fabrikam.OnPreRender(EventArgs e) in C:\Foo\Fabrikam.aspx.cs:line 549
     at System.Web.UI.Control.PreRenderRecursiveInternal()
     at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
    

As the process hasn't crashed, ProcDump won't capture process dumps. Instead, you must gather the process dump manually by completing the following steps.

  • Find the Process ID of the worker process that you need.

    • IIS Manager > Worker Processes: Find the "Application Pool Name" you need, and take note of the value in the "Process Id".
  • From an administrator command prompt, replace NNNNN with the process ID from the previous step.

    C:\>procdump -ma NNNNN
    

Follow a similar process to gather agent logs, windows events and process dumps to include with your bug report.

Other Bugs

If you encountered a bug other than a process crash or unhandled exception - maybe the .NET Tray has an inaccurate state, or the agent found a false positive - please file a bug report. Contrast doesn't usually need process dumps, but trace-level logs and a detailed description of the problem are very helpful when it's time to fix these bugs.