Decrypting SSL and TLS traffic in QRadar Network Insights

To find hidden threats, it might be necessary to decrypt SSL and TLS traffic that is processed by IBM® QRadar®.

For IBM QRadar Network Insights deployments, it is recommended that you use a dedicated man-in-the-middle solution where the clear text output is fed into QRadar.

If you do not want to deploy a man-in-the-middle solution, limited decryption capabilities are available within QRadar if the required keys are available. You will experience performance degradation if you enable the decryption capability.

Decryption is supported for the following protocols:
  • SSL v3
  • TLS v1.0
  • TLS v1.1
  • TLS v1.2

The following restrictions apply:

  • Traffic cannot be decrypted if SSL or TLS compression is in use.
  • The Diffie Hellman key exchange mechanism is not supported when encrypted traffic is decrypted through a private key. When you use a private key, other key exchange methods, such as RSA, are supported. This restriction does not apply when traffic is decrypted with information that is found in a key log.