IBM Support

QRadar EDR: Deployment issues with legacy Windows operating systems on QRadar EDR On-Prem

Troubleshooting


Problem

Additional configuration steps are required for QRadar EDR On-Prem CP4S to enable the deployment of legacy Windows operating systems, including:
 
  • Windows client 7.
  • Windows server 2008 R2 (SP2).
  • Windows server 2012 R2.

Symptom

Unable to register endpoints that are running on legacy Windows operating systems.

Cause

Endpoints running legacy Windows operating systems use old outdated ciphers, which QRadar EDR On-Prem CP4S does not support by default.

Environment

On-premise QRadar EDR suite

Diagnosing The Problem

Check the registration error log file that is located in the %TEMP% folder under  C:\Users\<Username>\AppData\Local\Temp, make sure you can see the following error messages:
Response: SSL Error: WINHTTP_CALLBACK_STATUS_FLAG_SECURITY_CHANNEL_ERROR internal error.
Exception: Backend communication problem: SSL Error: WINHTTP_CALLBACK_STATUS_FLAG_SECURITY_CHANNEL_ERROR internal error. 

Resolving The Problem

  1. Create a certificate or employ your own certificate (either one it must be of ECC type configured with the prime256v1/P-256 elliptic curve):
     

    openssl ecparam -name prime256v1 -genkey -out server-ca.key
    openssl req -x509 -sha256 -new -nodes -key server-ca.key \
        -subj "/CN=*.apps.reaqta-cp4s.eo7z.p1.openshiftapps.com" \
        -addext "subjectAltName = DNS:*.apps.reaqta-cp4s.eo7z.p1.openshiftapps.com" \
        -days 3650 -out server-ca.crt

    Consider the following certificate requirements that the TLS certificate must adhere to:
     
    • Always use a TLS certificate from a trusted CA for your production systems.
    • The TLS certificate must be an RSA certificate with a minimum of 2048 bits, or a P-256 ECDSA certificate no greater than 256 bits with PKCS1 encoding.
    •  The TLS certificate must match the QRadar EDR domain and must specify the domain in the subject alternative name (SAN) field.
    • The TLS certificate and certificate authorities (CAs) must use a hash algorithm from the SHA-2 family.
    • The TLS certificate must have a timespan that does not exceed 398 days.
    • The TLS server certificate must contain an ExtendedKeyUsage (EKU) extension that contains the id-kp-serverAuth object identifier (OID). 
     
    More information on certificate generation at: Domain name and TLS certificates

  2. Update the ingress certificate:

    oc delete secret -n <cp4s-namespace> isc-ingress-default-secret
    oc create secret generic -n <cp4s-namespace> isc-ingress-default-secret --type=kubernetes.io/tls --from-file=tls.crt=server-ca.crt --from-file=tls.key=server-ca.key

  3. Restart Ambassador:

    oc delete pod -lname=ambassador

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSVOEH","label":"IBM Security ReaQta"},"ARM Category":[{"code":"a8m3p000000hBSGAA2","label":"Agent-\u003EInstallation-\u003EWindows"}],"ARM Case Number":"","Platform":[{"code":"PF033","label":"Windows"}],"Version":"All Versions"}]

Product Synonym

ReaQta

Document Information

Modified date:
31 October 2023

UID

ibm17058393

Page Feedback