Mohit_Verma02 Trusted Contributor.
Trusted Contributor.
426 views

SSPR integration with Sentinel

Hi All,

SSPR was successfully sending events to Sentinel when I configured with port 1468(TCP).
However moment I changed to 1443,it has stopped and seeing below error in logs.
Please note that I want to use Client Authentication as "Open" and Server Key pairs as Internal (default).So confused why it is showing below error as the Open configuration means no certificate validation required at all.
Anyone can help in this?

"Tue Apr 30 14:48:54 AEST 2019|SEVERE|SyslogSSLReader-144445|esecurity.ccs.comp.evtsrcmgt.connector.syslogserver.DeviceSensorTCPListener$DeviceReader.runSensor
DeviceSensor error
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at sun.security.ssl.InputRecord.handleUnknownRecord(InputRecord.java:710)
at sun.security.ssl.InputRecord.read(InputRecord.java:527)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:983)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:938)
at sun.security.ssl.AppInputStream.read(AppInputStream.java:105)
at sun.nio.cs.StreamDecoder.readBytes(StreamDecoder.java:284)
at sun.nio.cs.StreamDecoder.implRead(StreamDecoder.java:326)
at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:178)
at java.io.InputStreamReader.read(InputStreamReader.java:184)
at java.io.BufferedReader.fill(BufferedReader.java:161)
at java.io.BufferedReader.readLine(BufferedReader.java:324)
at java.io.BufferedReader.readLine(BufferedReader.java:389)
at esecurity.ccs.comp.evtsrcmgt.connector.syslogserver.DeviceSensorTCPListener$DeviceReader.runSensor(DeviceSensorTCPListener.java:155)
at esecurity.ccs.comp.evtsrcmgt.connector.syslogserver.DeviceSensorSecureTCPListener$DeviceSecureReader.runSensor(DeviceSensorSecureTCPListener.java:91)
at esecurity.ccs.comp.evtsrcmgt.connector.syslogserver.DeviceSensorTCPListener$DeviceReader.run(DeviceSensorTCPListener.java:120)
"

Regards,
Mohit Verma
0 Likes
2 Replies
Mohit_Verma02 Trusted Contributor.
Trusted Contributor.

Re: SSPR integration with Sentinel

Please ignore. It worked.
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: SSPR integration with Sentinel



On 04/29/2019 11:14 PM, Mohit verma02 wrote:
>
> SSPR was successfully sending events to Sentinel when I configured with
> port 1468(TCP).


Just so we're clear here, TCP 1468 is a cleartext port by default, so data
on the wire are not encrypted at all. This is important in about one second.

> However moment I changed to 1443,it has stopped and seeing below error
> in logs.


I have not setup SSPR to audit to Sentinel with TLS/SSL; is there an
option within SSPR to not only change the port (1468 to 1443) but also to
change SSPR to negotiate the TLS/SSL side? The latter change is not
implied by the former, so unless you did something (e.g. checked a
checkbox indicating TLS/SSL should be used on the client/SSPR side) the
data will still be cleartext/plaintext, as the error message states.

> Please note that I want to use Client Authentication as "Open" and
> Server Key pairs as Internal (default).So confused why it is showing


These are, as I recall, settings on the Sentinel connector side, and
that's fine probably.

> below error as the Open configuration means no certificate validation
> required at all.
> Anyone can help in this?
>
> "Tue Apr 30 14:48:54 AEST
> 2019|SEVERE|SyslogSSLReader-144445|esecurity.ccs.comp.evtsrcmgt.connector.syslogserver.DeviceSensorTCPListener$DeviceReader.runSensor
> DeviceSensor error
> javax.net.ssl.SSLException: Unrecognized SSL message, plaintext
> connection?


The text here seems to indicate you have not told the client (SSPR) to use
TLS/SSL, so it is still trying to make a connection without that, which of
course will not work.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.