Replacing the default certificate in QRadar generates invalid PEM errors

Replacing the default certificate in QRadar causes the ConfigurationServer.PEM file to change, affecting all WinCollect agents in the deployment. To fix this issue, you must replace the ConfigurationServer.PEM file on the Windows host.

About this task

WinCollect agents receive rejection messages because the incorrect certificate is passed when the agents attempt to communicate with the updated QRadar® appliance. The following error message appears in the logs:

May 17 17:06:31 ::ffff:IP ADDRESS [ecs-ec] [WinCollectConfigHandler_4] 
com.q1labs.sem.semsources. wincollectconfigserver.WinCollectConfigHandler: [ERROR] 
[NOT:0000003000] [192.0.2.0/- -] [-/- -]Agent with ip: IP ADDRESS tried to connect 
with an invalid PEM

The IP address of the agent that is attempting to communicate is displayed. The WinCollect agent also sends LEEF Syslog messages to inform the administrator of the communication issue due to the invalid certificate. To fix this issue, you must replace the ConfigurationServer.PEM file on the Windows host.

Note: This action must be completed by a Windows administrator or a user that has privileges to delete files from the remote Windows host.

Procedure

Open a remote desktop connection to the WinCollect Agent that is unable to communicate.
Click Start > Run.
Type services.msc, then click OK.
Stop the WinCollect service.
On the Windows host, navigate to the WinCollect configuration folder.
By default, the folder path is: C:\ProgramFiles\IBM\WinCollect\config
Delete ConfigurationServer.PEM.
From the Services window, start the WinCollect service.

Results

After the WinCollect service restarts, the agent attempts to contact the QRadar appliance that manages the Windows host. The QRadar appliance detects the missing ConfigurationServer.PEM file and issues a replacement against the existing certificate. This practice replaces the old file with a new ConfigurationServer.PEM file that includes the updated certificate.