IBM Support

SSL certificate verification changes in the EDR agents

News


Abstract

This article introduces important changes in SSL certificate verification for the EDR agents, starting with the upcoming release that will enable SSL verification for all EDR agent-server connections.

Content

Starting with the upcoming release of the EDR agents, SSL verification will be enabled for all connections from the EDR agents to the EDR Hive backend. Specifically, the agents will verify the server-side certificates presented by the EDR Hive backend. Previously, SSL verification was not enforced. The following EDR agent versions will introduce this change:
 
•    Windows v3.12.5
•    Linux v0.91.0
•    macOS v1.2.0
 
Verification will be by default enabled on all new fresh EDR agent installations while will be disabled (not-enabled) on updated EDR agents to avoid unforeseen disconnections.

For complete guidance on managing Certificate Verification for EDR Agents, check the Managing Certificate Verification for EDR Agents technical note

Before you begin
 
- Prior to installing the agent, make sure the Certificate Authority (CA) is set up correctly on the endpoints so the agent can trust the server certificates.
- When using custom CA certificates, some actions might be required to make the certificate verification succeed. For more guidance, refer to the 'Certificate Check' and 'Certificate Installation' sections in the Managing Certificate Verification for EDR Agents technical note.
- In case of verification issues at installation time, it is possible to install the agent with certificate verification entirely disabled using a configuration option. For more information see the 'Installation with disabled verification' section in the Managing Certificate Verification for EDR Agents technical note.  Note that it is recommended to troubleshoot and resolve any potential local misconfigurations first, rather than disabling certificate verification.
- Verification can be enabled at a later stage with a separate procedure. For more information see the 'Certificate verification enablement' section in the Managing Certificate Verification for EDR Agents technical note.

 
Expected scenarios

SSL verification occurs locally on the endpoint, which can lead to various scenarios depending on the EDR Hive backend deployment type and the local endpoint configuration. he following outlines the most common scenarios based on the deployment type for clarity and simplicity.
 

SaaS

Server-side certificates are regularly maintained up-to-date by IBM. Certificates are issued by a well-known Certificate Authority (Let’s encrypt) and the EDR Hive backend presents in secure connections a full certificate chain including all intermediate certificates.

Excluding severe endpoint misconfigurations, the EDR agents will enforce verification at install time without issues. Updated agents can be directly configured to enforce verification, see 'Certificate verification enablement' section in the Managing Certificate Verification for EDR Agents TN.

On-Prem legacy (non CP4S/OpenShift based)

Server-side certificates are maintained up-to-date by IBM or fully managed by the end-customer. Sometimes a certificate is issued by an internal company specific certificate authority. A well-known misconfiguration on the certificates presented by the EDR Hive backend to the EDR agents makes certification verification not achievable. 

On-Prem legacy environments are expected to migrate to the On-Prem CP4S deployment model where the well-known misconfiguration does not exist. EDR agents can only connect to the On-Prem legacy environment by explicitly disabling certificate verification. This happens by default for all updated agents with no additional configuration change. Freshly installed agent must be explicitly configured to disable verification at installation time, see 'Installation with disabled verification' section in the Managing Certificate Verification for EDR Agents TN..

On-Prem CP4S

Server-side certificates are fully managed by the end-customer. Sometimes a certificate is issued by an internal company specific certificate authority. The EDR Hive backend presents a full certificate chain including all intermediate certificates, assuming it is correctly configured with a full certificate chain.

In case certificates are issued from a well-known Certificate Authority and assuming there is no severe endpoint misconfiguration then the EDR agents will enforce verification at install time without issues. Updated agents can be directly configured to enforce verification, see 'Certificate verification enablement' section in the Managing Certificate Verification for EDR Agents TN.

In case certificates are issued from an internal not-well-known certificate authority, additional steps might be required depending on the endpoint configuration. It is recommended to perform some local checks to make sure the certificates are locally installed and can be verified. For more information see 'Certificate verification check' section in the Managing Certificate Verification for EDR Agents TN.

[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSOO77","label":"IBM Security QRadar EDR"},"ARM Category":[{"code":"a8m3p0000000rbnAAA","label":"Support-\u003EAdministration Task"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Product Synonym

ReaQta

Document Information

Modified date:
08 April 2025

UID

ibm17214611

Page Feedback