IBM Support

QRadar: Unable to pull certificate for Check Point 80.30 and later: Opsec error. rc=-1 err=-100 General error in Certificate Authority

Troubleshooting


Problem

When trying to integrate a Check Point v80.30 and later using Opsec/LEA, you are unable to pull the certificate from the Check Point device, and an error is displayed: Opsec error. rc=-1 err=-100 General error in Certificate Authority

Symptom

Look for similar messages in /var/log/qradar.error:
Sep 28 15:12:31 ::ffff:xx.xx.xx.xx [ecs-ec-ingress.ecs-ec-ingress] [Thread-975874] com.q1labs.semsources.sources.LEA.LEAProvider: [ERROR] [NOT:0070003100][xx.xx.xx.xx/- -] [-/- -]Failed to pull the certificate for the LEA server xx.xx.xx.xx.
Sep 28 15:12:31 ::ffff:xx.xx.xx.xx [ecs-ec-ingress.ecs-ec-ingress] [Thread-975874] com.q1labs.semsources.sources.LEA.LEAProvider: [ERROR] [NOT:0070003100][xx.xx.xx.xx/- -] [-/- -]An error occured when trying to configure a source connection for provider LEA Provider xx.xx.xx.xx
Sep 28 15:12:31 ::ffff:xx.xx.xx.xx [ecs-ec-ingress.ecs-ec-ingress] [Thread-975874] com.q1labs.semsources.sources.LEA.LEAConfigurationException: Code=Failed to pull the certificate for the LEA server xx.xx.xx.xx, Subcode=N/A, Reason=N/A

 
When you try to pull the certificate by using the manual method:
/opt/qradar/bin/opsec_pull_cert -h host -n object-name -p password
You might get an error similar to: Opsec error. rc=-1 err=-100 General error in Certificate Authority
 

Cause

Check Point® has made changes included in the Jumbo Hotfix Accumulator for R80.30 (R80_30_jumbo_hf). The 3DES (Triple DES) encryption algorithm has been disabled by default for HTTPS Inspection, Mobile Access Portal, Identity Awareness Portal, ICA Portal, SmartManagement Portal, SecurePlatform WebUI abd Mobile Access curl. It is also mentioned that Disabling 3DES can result in 3rd party OPSEC SDK 6.0 clients connectivity to fail.

For further information, refer to: Check Point® Jumbo Hotfix Accumulator for R80.30

Resolving The Problem

  • Option 1: Ask the Check Point® administrator to enable 3DES on the Checkpoint host and this should help QRadar® to pull the certificate correctly. A restart of service ecs-ec-ingress may be required to re-initialize the connection.
  • Option 2: Contact your Check Point administrator to manually export the .p12 certificate with expert mode:
    opsec_pull_cert -h host -n object-name -p password
    Then, import the certificate to the QRadar® host where you intend to ingest the events, in the directory /opt/qradar/conf/trusted_certificates/lea.
  • Option 3: If the integration is not possible via Opsec/LEA, consider using TLS Syslog. 
    Refer to Integrating Check Point by using TLS Syslog

Document Location

Worldwide

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"TS004121927","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
16 June 2021

UID

ibm16422847