Troubleshooting
Problem
Additional configuration steps are required for QRadar EDR On-Prem CP4S to enable the deployment of legacy Windows operating systems, including:
- Windows client 7.
- Windows server 2008 R2 (SP2).
- Windows server 2012 R2.
Symptom
Unable to register endpoints that are running on legacy Windows operating systems.
Cause
Endpoints running legacy Windows operating systems use old outdated ciphers, which QRadar EDR On-Prem CP4S does not support by default.
Environment
On-premise QRadar EDR suite
Diagnosing The Problem
Check the registration error log file that is located in the
%TEMP%
folder under C:\Users\<Username>\AppData\Local\Temp
, make sure you can see the following error messages:Response: SSL Error: WINHTTP_CALLBACK_STATUS_FLAG_SECURITY_CHANNEL_ERROR internal error.
Exception: Backend communication problem: SSL Error: WINHTTP_CALLBACK_STATUS_FLAG_SECURITY_CHANNEL_ERROR internal error.
Resolving The Problem
-
Create a certificate or employ your own certificate (either one it must be of ECC type configured with the
prime256v1/P-256
elliptic curve):
openssl ecparam -name prime256v1 -genkey -out server-ca.key
openssl req -x509 -sha256 -new -nodes -key server-ca.key \
-subj
"/CN=*.apps.reaqta-cp4s.eo7z.p1.openshiftapps.com"
\
-addext
"subjectAltName = DNS:*.apps.reaqta-cp4s.eo7z.p1.openshiftapps.com"
\
-days 3650 -out server-ca.crt
Consider the following certificate requirements that the TLS certificate must adhere to:
- Always use a TLS certificate from a trusted CA for your production systems.
- The TLS certificate must be an RSA certificate with a minimum of 2048 bits, or a P-256 ECDSA certificate no greater than 256 bits with PKCS1 encoding.
- The TLS certificate must match the QRadar EDR domain and must specify the domain in the subject alternative name (SAN) field.
- The TLS certificate and certificate authorities (CAs) must use a hash algorithm from the SHA-2 family.
- The TLS certificate must have a timespan that does not exceed 398 days.
- The TLS server certificate must contain an ExtendedKeyUsage (EKU) extension that contains the id-kp-serverAuth object identifier (OID).
More information on certificate generation at: Domain name and TLS certificates -
Update the ingress certificate:
oc delete secret -n <cp4s-namespace> isc-ingress-default-secret
oc create secret generic -n <cp4s-namespace> isc-ingress-default-secret --
type
=kubernetes.io
/tls
--from-
file
=tls.crt=server-ca.crt --from-
file
=tls.key=server-ca.key
-
Restart Ambassador:
oc delete pod -lname=ambassador
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSVOEH","label":"IBM Security ReaQta"},"ARM Category":[{"code":"a8m3p000000hBSGAA2","label":"Agent-\u003EInstallation-\u003EWindows"}],"ARM Case Number":"","Platform":[{"code":"PF033","label":"Windows"}],"Version":"All Versions"}]
Product Synonym
ReaQta
Was this topic helpful?
Document Information
Modified date:
31 October 2023
UID
ibm17058393