Decrypting SSL and TLS traffic by using a server's private key

By providing a server's IP address and its private key, you can decrypt traffic that is going to that host.

Procedure

  1. Use SSH to log in to the QRadar Network Insights host as the root user.
  2. Review the location of the keys in the /opt/qradar/conf/forensics_config.xml file.
    <keybag 
    keydir="/opt/ibm/forensics/decapper/keys" 
    keylogs="/opt/ibm/forensics/decapper/keylogs"/>

    You will use the keydir and keylogs locations in the next steps.

  3. Copy one or more private keys into the keydir directory.
  4. In the keydir directory, modify the key_config.xml file to specify your key file and the IP addresses that it applies to.
    The key file can apply to a single IP address, a range of IP addresses, or both. For example, the key_config.xml file might look like this:
    Example:
    <keys>
    <key file=" /opt/ibm/forensics/decapper/keys/key_name">
    <address>10.2.3.4</address>
    <range>10.2.3.0-10.2.3.255</range>
    </key>
    </keys>
  5. Restart the decapper service by typing the following command:
    systemctl restart decapper

Results

From this point on, all analysis of new recoveries or flows use the new keys to decrypt traffic.