Support Center > Search Results > SecureKnowledge Details
Qradar fails to pull OPSEC certificate Technical Level
Symptoms
  • Qradar fails to pull an OPSEC certificate.
  • The following is the error on the Qradar side:
    needToPullCertificate is returning true because the pull cert password has changed in the database.
    Following message suppressed 1 times in 300000 milliseconds
    Opsec error. rc=-1 err=-100 General error in Certificate Authority
    Following message suppressed 1 times in 300000 milliseconds
    Failed to pull the certificate for the LEA server [LEA server IP Address].
    An error occurred when trying to configure a source connection for provider LEA Provider [LEA server IP Address]
    Exception: Code=Failed to pull the certificate for the LEA server [LEA server IP Address], Subcode=N/A, Reason=N/A
    LEA connection thread to the server [LEA server IP Address] exiting.
    There appears to be a configuration issue with the provider connection 'LEA Provider [LEA server IP Address]'.
  • tcpdump shows:
    - Handshake Protocol: Client Hello:
    Cipher Suites (2 suites):
    Cipher Suite: TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
    Cipher Suite: TLS_DH_anon_WITH_RC4_128_MD5 - Alert (Level: Fatal, Description: Handshake Failure)
Cause
Qradar is using old ciphers in the client hello during the 3-way handshake (3DES and RC4).
These are unsafe and unsupported ciphers. This is what is causing the failure.


Solution
Note: To view this solution you need to Sign In .