Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Decrypting SSL and TLS Traffic by Using a Server'S Private Key

SUMMARY By providing a server's IP address and its private key, you can decrypt traffic that is going to that host.

  1. Use SSH to log in to the Network Insights host as the root user.
  2. Review the location of the keys in the /opt/qradar/conf/forensics_config.xml file.

    You will use the keydir and keylogs locations in the next steps.

  3. Copy one or more private keys into the keydir directory.
  4. In the keydir directory, modify the key_config.xml file to specify your key file and the IP addresses that it applies to.
    The key file can apply to a single IP address, a range of IP addresses, or both. For example, the key_config.xml file might look like this:
    Example:
  5. Restart the decapper service by typing the following command:
    systemctl restart decapper
From this point on, all analysis of new recoveries or flows use the new keys to decrypt traffic.