SUMMARY By providing a server's IP address and its private key, you can decrypt traffic that is
going to that host.
- Use SSH to log in to the Network Insights host as the root user.
- Review the location of the keys in the
/opt/qradar/conf/forensics_config.xml file.
<keybag
keydir="/opt/ibm/forensics/decapper/keys"
keylogs="/opt/ibm/forensics/decapper/keylogs"/>
You will use the keydir and keylogs locations in the
next steps.
- Copy one or more private keys into the keydir
directory.
- In the keydir directory, modify the
key_config.xml file to specify your key file and the IP addresses that it
applies to.
The key file can apply to a single IP address, a range of IP addresses, or
both. For example, the
key_config.xml file might look like this:
Example:
<keys>
<key file=" /opt/ibm/forensics/decapper/keys/key_name">
<address>10.2.3.4</address>
<range>10.2.3.0-10.2.3.255</range>
</key>
</keys>
- Restart the decapper service by typing the following
command:
systemctl restart decapper
From this point on, all analysis of new recoveries or flows use the new keys to decrypt
traffic.