IBM Support

How to disable Cipher Suites in the WinCollect Configuration Server Protocol

Troubleshooting


Problem

To meet your organization's compliance standards, you might want to disable specific Cipher Suites in WinCollect. Use the following procedure to disable any undesired Cipher Suites that are active by default.

Resolving The Problem

Note: As an administrator, you must have root access to QRadar to complete this procedure. WinCollect V7.2.9 or greater is required. If your entire QRadar deployment is at WinCollect V7.2.9 or later, you can disable undesired Cipher Suites available in the Configuration Server to prevent scan reports from displaying QRadar as vulnerable.

Procedure
  1. Using SSH, log in to the Console as the root user.
  2. Navigate to the following directory:
    /opt/qradar/conf/templates/configservices/pluggablesources/ 
    Tip: Create a backup of the WinCollect configuration file before you make any changes.
  3. To create a backup of the WinCollectConfigServer.vm file, type the following command:
    cp 
    /opt/qradar/conf/templates/configservices/pluggablesources/WinCollectConfigServer.vm 
    /root/WinCollectConfigServer_old.vm
  4. To edit this file, type the following command:
    vim WinCollectConfigServer.vm
  5. To search for the Disabled Cipher Suite values, type the following command:
    /DisabledCipherSuites
  6. Update the list of Cipher Suites by using a space as a separator to include the unwanted Cipher Suites.
    Note: Cipher Suite names must follow Java Cipher Suite naming conventions. For example, to disable RSA_WITH_AES_128_GCM_SHA256 for both SSL and TLS protocols, type:
    <parameter type="DisabledCipherSuites">SSL_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256</parameter>
    Important: Administrators must only change the Cipher Suite values in the .vm file. Any other changes made to WinCollectConfigServer.vm can cause unrecoverable errors.
  7. Save the WinCollectConfigServer.vm file.
  8. Log in to QRadar.
    WARNING: Completing a Deploy Full Configuration restarts services on all managed hosts in the deployment. You should complete full deploys during maintenance windows or be aware that event and flow collection is temporarily interrupted while services are restarting. Event and flow data might show a temporary gap in graph data while services restart.
  9. Click the Admin tab and select Advanced > Deploy Full Configuration.
  10. When prompted, click Continue.
    After the full deployment is complete, the deployment should be updated for the provided Cipher Suites to be disabled for WinCollect.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
08 May 2019

UID

ibm10872308