Topic
  • 2 replies
  • Latest Post - ‏2016-09-22T14:22:17Z by Josephsal
Josephsal
Josephsal
2 Posts

Pinned topic SSL configuration

‏2016-08-02T12:39:30Z |

Dears,

We are trying to configure SSL decryption on QRIF appliance.

Is it possible to explain were the key variable should be added and what the range stands for.

regards,

Joseph.

  • jfmorin
    jfmorin
    1 Post

    Re: SSL configuration

    ‏2016-08-16T14:17:07Z  

    HI Joseph, 

     

    Copy the keys into the directory that is specified in the /opt/qradar/forensics.conf file and you will need to restart decapper service. 

    I recommend looking at "IBM Security QRadar Incident Forensics - Administration Guide" for exact information on what is supported. 

    Link here: http://www-01.ibm.com/support/docview.wss?uid=swg27048277

     

    Private keys usually get copied into the /opt/ibm/forensics/decapper/keys directory. 

    Key log files from a browser usually get copied into the /opt/ibm/forensics/decapper/keylogs/default directory.

     

    Cheers,

    Josh

  • Josephsal
    Josephsal
    2 Posts

    Re: SSL configuration

    ‏2016-09-22T14:22:17Z  

    Hi Josh,

     

    Please note that the /opt/qradar/forensics.conf does not exist and the xml file path to enter the address and range is not stated in the documentation so I had to search for it manually. so documentation is no good.

    Anyway I managed to do this configuration and now SSL decryption for internal trafic is working fine.

     

    Otherwise we were not able to decrypt SSL trafic from public websites.

    All https public websites are encrypted with our proxy that is playing the role of man in the middle for web filtering.

     

    we tried entering the public ip address of the website in the <address> </address> field and for the key we copied the private key of the proxy. However the decayer wasn't able to decrypt this trafic.

     

    Is it possible to get your help doing this configuration?

     

    best regards,

     

    Joseph.