IBM Support

QRadar: Blue Coat Cloud (WSS) ThreatPulse TLS Connections with QRadar

Troubleshooting


Problem

Blue Coat Web Security Service REST API protocol does not work in patches prior to 7.2.8 Patch 7.

Symptom

Important: This is issue is resolved in QRadar versions 7.2.8 Patch 7 and above. This issue does not affect QRadar 7.3.0 Installation.

Cause

QRadar attempts to download a certificate from BlueCoat using TLS. QRadar installations below 7.2.8 Build 20170530170730 downloads the certificate by using TLS version 1. BlueCoat only accepts connections that use TLS versions 1.1 and 1.2.


Using the command.
openssl s_client -connect portal.threatpulse.com:443 -tls1

Will return a message similar to this.
CONNECTED(00000003)


139809391920968:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number                                                :s3_pkt.c:339:
---
no peer certificate available
---
No client certificate CA names sent

You cannot connect to BlueCoat to pull down the certificate. 

Diagnosing The Problem

  1. Log in to the QRadar user interface.
  2. From the menu bar click Help > About.
  3. Note the version of QRadar installed on your deployment

Resolving The Problem

To resolve this issue, you need to patch your QRadar deployment to version 7.2.8 Patch 7 or later.

To get the latest Fix Pack build, go to this link


Administrators can get the latest patch version from IBM Fix Central. For a list of QRadar release notes, see http://ibm.biz/qradarsoftware.

To find out more about installing the BlueCoat DSM please refer to the DSM guide.


QRadar DSM guide


[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Log Activity","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3;7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
28 January 2021

UID

swg22007705

Page Feedback