IBM Support

WinCollect: How to Enable/Disable TLS Communication Options for QRadar

Troubleshooting


Problem

WinCollect 7.2.5 enables TLSv1.2 communication from the agent. However, network scans will show QRadar vulnerabilities due to listening and accepting for older TLS connections from WinCollect Agents. This server-side Console procedure informs administrators how to disable older TLS protocol options.

Cause

WinCollect 7.2.5 and later supports TLSv1.0, TLSv1.1, and TLSv1.2 protocols for both management communications with the Configuration Server protocol and for TLS Syslog event data. By default, the agent will have these new protocols enabled. WinCollect uses TLSv1.2 when new connections are negotiated to the QRadar appliance. Each time the agent establishes a connection to the Console to check for configuration updates or log source changes, the connection is established and the TLS handshake is established at the highest possible TLS protocol value, which is TLSv1.2.

Administrators who network scan their environments and include QRadar as part of the scan will get scan reports listing QRadar vulnerabilities for older TLS protocols. Agents and the Configuration Server protocol support the older TLSv1 protocols for backward compatibility; however, administrators can configure allowed protocols as defined in the procedure below.

Administrators who decide to disable legacy TLS protocols should review their WinCollect Agents to ensure that all deployed agent are at WinCollect 7.2.5 or later, which supports TLSv1.2. This ensures that administrators do not strand older agents from communicating with the Console and allows communications for legacy installs in case an older version needs to be updated by the QRadar appliance.

NOTE: You must have root access to QRadar to be able to complete the procedure outlined in this article. If all agents in the deployment are at WinCollect 7.2.5 or later, the administrator can limit the TLS communication options in the Configuration Server protocol to prevent scan reports from displaying QRadar as vulnerable to legacy TLS attacks.

Resolving The Problem

WinCollect 7.2.4 protocol added a new parameter that allows administrators to define the TLS connection being used when the agent communicates to a QRadar appliance. This change was made in the WinCollectConfigServer.vm file to add a value for "SSLProtocols". This .VM file is a space delimited list of TLS protocols that will be allowed by the Configuration Server. Typical values would be TLSv1, TLSv1.1, and TLSv1.2.

 

How to enable TLS versions in the WinCollect Configuration Server Protocol

Important: Please note that any QRadar or WinCollect upgrade (done via installing from the SFS bundle) will overwrite this manual edit, and you have to do the manual edit again, post-upgrade.
  • Procedure
    1. Using SSH, log in to the Console as the root user.
    2. Navigate to the following directory:/opt/qradar/conf/templates/configservices/pluggablesources/ 

      Note: You should create a backup of the WinCollect configuration file before making any changes.
       
    3. To create a backup of the WinCollectConfigServer.vm file before you begin, type the following command: cp /opt/qradar/conf/templates/configservices/pluggablesources/WinCollectConfigServer.vm /root/WinCollectConfigServer_old.vm
    4. To edit the file, type the following command: vim WinCollectConfigServer.vm
    5. To search for the TLS protocol values. type /SSLProtocols.
    6. Update the list of protocols using a space as a separator to include the allows TLS protocol options.

      For example, to support all TLS protocol options, type: <parameter type="SSLProtocols">TLSv1 TLSv1.1 TLSv1.2</parameter>

      For example, to limit communication only to TLSv1.2, type: <parameter type="SSLProtocols">TLSv1.2</parameter>

      Important: Administrators must only change the TLS values in the .vm file. Any other changes made to WinCollectConfigServer.vm can cause catastrophic issues to occur.
       
    7. Save the WinCollectConfigServer.vm file.
    8. Log in to the user interface.

      WARNING: Completing a 'Deploy Full Configuration' restarts services on all managed hosts in the deployment. It is recommended that administrators complete full deploys during maintenance windows or be aware that event & flow collection is temporarily interrupted while services are restarting. Event and flow data might show a temporary gap in graph data due to the full deploy while services restart.
       
    9. Click the Admin tab and select Advanced > Deploy Full Configuration.
    10. When prompted, click Continue.
    11. After the full deploy completes, the deployment should be updated for WinCollect agents to communicate using the updated TLS protocol values.
       

    Example of the information in the VM file with the TLS information added:
    <source objectId="Q1_WinCollectConfigServer" stdout="Processor1" type="Q1_WinCollectConfigServer_Type">
        <parameter type="Port">8413</parameter>
        <parameter type="SSLProtocols">TLSv1 TLSv1.1 TLSv1.2</parameter>
        <parameter type="MaxThreadNumber">50</parameter>
        <parameter type="QueueCapacity">100</parameter>
        <parameter type="Enabled">true</parameter>
        <parameter type="Name">$ECConfigBuilder.getEcId()</parameter>
    </source>

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
12 February 2021

UID

swg22000057

Page Feedback