Troubleshooting
Problem
QRadar does not support certain RSA cipher suites by default due to export policy restrictions. Administrators who want to use higher level cipher suites must install the JCE Unrestricted Policy Extension. This allows connections to use the following ciphers: TLS_RSA_WITH_AES_256_CBC_SHA or TLS_RSA_WITH_AES_256_GCM_SHA384.
Cause
The following cipher suites: TLS_RSA_WITH_AES_256_CBC_SHA or TLS_RSA_WITH_AES_256_GCM_SHA384 require the usage of the Unrestricted SDK JCE policy files. The unrestricted JCE policy files can be downloaded from IBM.com. To download these files, you must have an IBMid. If you do not have an IBMid, you can register to download the files using the provided link.
Download link: Unrestricted SDK JCE policy files
Diagnosing The Problem
When TLS syslog attempts to establish connections to QRadar, the following error message is displayed are displayed when the :
Aug 24 10:32:04 ::ffff:x.x.x.x [ecs-ec.ecs-ec] [Thread-1009788]
java.lang.RuntimeException: Could not generate dummy secret
Aug 24 10:32:04 ::ffff:x.x.x.x [ecs-ec.ecs-ec] [Thread-1009788]
at com.ibm.jsse2.B.<init>(B.java:17)
Aug 24 10:32:04 ::ffff:x.x.x.x[ecs-ec.ecs-ec] [Thread-1009788]
Caused by:
Aug 24 10:32:04 ::ffff:x.x.x.x[ecs-ec.ecs-ec] [Thread-1009788]
java.security.InvalidKeyException: Illegal key size or default
parameters
Aug 24 10:32:04 ::ffff:x.x.x.x [ecs-ec.ecs-ec] [Thread-1009788]
at javax.crypto.Cipher.a(Unknown Source)
/var/log/qradar.error.Aug 24 10:32:04 ::ffff:x.x.x.x [ecs-ec.ecs-ec] [Thread-1009788]
java.lang.RuntimeException: Could not generate dummy secret
Aug 24 10:32:04 ::ffff:x.x.x.x [ecs-ec.ecs-ec] [Thread-1009788]
at com.ibm.jsse2.B.<init>(B.java:17)
Aug 24 10:32:04 ::ffff:x.x.x.x[ecs-ec.ecs-ec] [Thread-1009788]
Caused by:
Aug 24 10:32:04 ::ffff:x.x.x.x[ecs-ec.ecs-ec] [Thread-1009788]
java.security.InvalidKeyException: Illegal key size or default
parameters
Aug 24 10:32:04 ::ffff:x.x.x.x [ecs-ec.ecs-ec] [Thread-1009788]
at javax.crypto.Cipher.a(Unknown Source)
Resolving The Problem
Before you beginThis procedure must be completed on each QRadar appliance that collects TLS Syslog events where higher level ciphers are required. Direct SSH connections are not allows to QRadar managed hosts due to iptable rules. The required jar files must be moved to the Console appliance, then copied to each managed host.
Procedure
WARNING: This procedure requires the administrators to restart the hostcontext service on the QRadar appliance. Restarting services will temporarily stop event and flow data collection while the services restart and halt scan imports that are progress. It is recommended that administrators complete this procedure during a scheduled maintenance window.
Procedure
- Download the jar files from the website:
- local_policy.jar
- US_export_policy.jar - Using WinSCP or another secure copy method, move the jar files to the QRadar Console.
- Copy the jar files to the QRadar managed hosts that require the RSA cipher suites.
- Make a backup directory before you attempt to replace existing files:
mkdir /root/backup_jars - Backup the jar files in
/opt/ibm/java-x86_64/jre/lib/securityto a folder with the following command:
cp /opt/ibm/java-x86_64/jre/lib/security/*.jar /root/backup_jars - Replace the jar files in
/opt/ibm/java-x86_64/jre/lib/securitywith the newlocal_policy.jar and US_export_policy.jarfiles. - To restart services on the managed host to load the new policy files, type the following command:
- For QRadar 7.3.x, type:
systemctl restart hostcontext - For QRadar 7.2.x, type:
service hostcontext restart
- For QRadar 7.3.x, type:
- Wait for the service to restart.
- Log in to the QRadar Console.
- Click the Log Activity tab.
- Verify that events are received from the TLS Syslog source.
- Repeat this procedure for each QRadar appliance with a TLS Syslog source that requires advanced RSA ciphers.
Results
If the log source is not receiving data from the TLS Syslog source, administrators can attempt to disable, then enable the log source, which will force a handshake to the remote appliance. Administrators who continue to experience issues should verify that the jar files are in place on the proper appliance and compare the MD5 sum of the downloaded files between the local workstation and the QRadar appliance to ensure they match. If the administrator continues to experience issues, they can contact QRadar Support for assistance.
[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Integrations - IBM","Platform":[{"code":"PF016","label":"Linux"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
05 March 2021
UID
swg22007801