IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  DLC TLS over TCP

    Posted Wed December 16, 2020 11:27 AM
    Edited by Christian Stiefel Thu December 17, 2020 02:23 AM

    Hello together,

    for some tests with the DR App I installed a DLC. If I'm using the UDP connection, the DLC is working, and I can see logs in the console. But if I try to use the TLS connection I'm getting a javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

    I'm using version 1.5 of the DLC and QRadar 7.4.1 Fixpack 2 and I configured the DLC with the help of the manual and tried a lot of different certificate signings. At the end I used a private CA with the help of easy-rsa which gave me the best result, because now I have the "Validating certificate chain succeeded". Before easy-rsa the validation failed everytime.
    As signing type I used "client" for the DLC and "serverClient" for the console.

    Below is the whole exception:

    2020-12-16 16:09:41,248 [DLC Sec Event Forward Thread] com.ibm.si.frameworks.nio.network.TLSSocketConnector: [ERROR] [NOT:0000003000][172.25.0.11/- -] [-/- -][ERROR_COULD_NOT_CONNECT:58002] Connection Error. Cannot connect console.dr.lab:32500.
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
	at com.ibm.jsse2.k.a(k.java:43) ~[?:8.0 build_20200611--106]
	at com.ibm.jsse2.k.a(k.java:32) ~[?:8.0 build_20200611--106]
	at com.ibm.jsse2.av.b(av.java:1055) ~[?:8.0 build_20200611--106]
	at com.ibm.jsse2.av.a(av.java:197) ~[?:8.0 build_20200611--106]
	at com.ibm.jsse2.av.d(av.java:458) ~[?:8.0 build_20200611--106]
	at com.ibm.jsse2.j.flush(j.java:29) ~[?:8.0 build_20200611--106]
	at com.ibm.jsse2.D.a(D.java:43) ~[?:8.0 build_20200611--106]
	at com.ibm.jsse2.E.c(E.java:74) ~[?:8.0 build_20200611--106]
	at com.ibm.jsse2.E.a(E.java:499) ~[?:8.0 build_20200611--106]
	at com.ibm.jsse2.E.a(E.java:154) ~[?:8.0 build_20200611--106]
	at com.ibm.jsse2.D.s(D.java:286) ~[?:8.0 build_20200611--106]
	at com.ibm.jsse2.D.a(D.java:251) ~[?:8.0 build_20200611--106]
	at com.ibm.jsse2.av.a(av.java:788) ~[?:8.0 build_20200611--106]
	at com.ibm.jsse2.av.i(av.java:45) ~[?:8.0 build_20200611--106]
	at com.ibm.jsse2.av.a(av.java:637) ~[?:8.0 build_20200611--106]
	at com.ibm.jsse2.av.startHandshake(av.java:1020) ~[?:8.0 build_20200611--106]
	at com.ibm.si.frameworks.nio.network.TLSSocketConnector.connect(TLSSocketConnector.java:253) ~[q1labs_core_frameworks.jar:?]
	at com.ibm.si.frameworks.nio.network.TLSSocketConnector.processMessage(TLSSocketConnector.java:190) ~[q1labs_core_frameworks.jar:?]
	at com.ibm.si.frameworks.nio.network.TLSSocketConnector.run(TLSSocketConnector.java:90) [q1labs_core_frameworks.jar:?]
	at java.lang.Thread.run(Thread.java:822) [?:2.9 (09-01-2020)]


    Has somebody an idea what I'm doing wrong?




    ------------------------------
    Kind regards
    Christian Stiefel
    ------------------------------



  • 2.  RE: DLC TLS over TCP

    Posted Wed December 23, 2020 01:15 PM

    Hi Christian,

    i assume, that you followed the instructions in https://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.dlc.doc/t_dlc_qradar_config_authentication.html.
    Did you check also, if you applied the root certificate in /etc/pki/ca-trust/source/anchors directory? And possibly check, if your created certificate was added to /opt/qradar/conf/trusted_certificates..

    Hope this helps.

    Best Regards,

    Ralph Belfiore



    ------------------------------
    Ralph Belfiore
    IT Security Senior Consulting
    pro4bizz GmbH
    Karlsruhe
    +49 721 90981720
    ------------------------------

    Original Message


  • 3.  RE: DLC TLS over TCP

    Posted Wed January 06, 2021 02:50 AM
    Hi Ralph,

    yes I used the instruction and also checked that the certificates are in the correct directory.

    Thank you for your help.

    Best regards,
    Christian Stiefel

    ------------------------------
    Christian Stiefel
    ------------------------------

    Original Message


  • 4.  RE: DLC TLS over TCP

    Posted Thu December 24, 2020 10:31 AM

    In addition to Ralph's comment, check if the certificates are a match for the intended use (we lost some time at one site with a similar error because certificates were valid but not appropriate).



    ------------------------------
    Dusan VIDOVIC
    ------------------------------

    Original Message


  • 5.  RE: DLC TLS over TCP

    Posted Wed January 06, 2021 02:55 AM
    Hello Dusan,
    thank you for your help.
    At the end it was the problem with the intended use. I tested it again, but now I used as signing type "server" for the console and not "serverClient". I also converted the "crt" files to plain pem, because the crt files had extra information.

    The TLS connection is now working.

    Best regards
    Christian Stiefel

    ------------------------------
    Christian Stiefel
    ------------------------------

    Original Message


Related Content