IBM QRadar

Hello, can you help me with problem, i can't install or remove any extension in qradar.
[root@qradar dev]# psql -U qradar -c "select id, name, version, hub_id, file_location, content_status from content_package;"
id | name | version | hub_id | file_location | content_status
-----+---------------------------+---------+----------------------------------+-----------------------------------------------------------------+----------------
2 | App Authorization Manager | 1.0.13 | IBMQRadar:OAuthManagement | /store/cmt/exports/20181116121207.zip | 6
301 | extension.name | 7.0.4 | 8169c48dc992961acb8f963cdcf56faa | /store/cmt/exports/QRadarLogsourceManagement-UBI-7.0.4.zip | 5
101 | extension.name | 2.2.3 | 9df9eb09dbbad7bd42d738cc9748b5db | /store/cmt/exports/Pulse-2.2.3-extension-signed.zip | 3
151 | extension.name | 3.0.2 | IBM QRadar Assistant | /store/cmt/exports/QRadarAssistant-3.0.2-signed.zip | 3
1 | extension.name | 1.1.1 | IBM QRadar Assistant | /store/cmt/exports/20181116120152.zip | 6
51 | extension.name | 6.0.0 | 8169c48dc992961acb8f963cdcf56faa | /store/cmt/exports/logsourcemanagement-6.0.0.1194646.zip | 6
201 | extension.name | 2.3.0 | IBMQRadar:Tuning | /store/cmt/exports/UseCaseManagerApp-2.3.0-extension.signed.zip | 3
251 | extension.name | 7.0.4 | 8169c48dc992961acb8f963cdcf56faa | /store/cmt/exports/QRadarLogsourceManagement-UBI-7.0.4.zip | 6
(8 rows)


[root@qradar dev]# /opt/qradar/support/recon ps
&ps.StatusResult{Check:(*ps.StatusCheck)(nil), Message:"error getting response for url https://qradar.ru:9000/v1/api/workloads: Get https://qradar.ru:9000/v1/api/workloads: x509: certificate signed by unknown authority (possibly because of \"crypto/rsa: verification error\" while trying to verify candidate authority certificate \"CONMAN-CA\")", Remediation:"", Value:1}

App-ID Name Managed Host ID Workload ID Service Name Container Name Port
0 Failed to decode workloads - 0
1052 pulse.full_name 53 apps qapp-1052 - 0
1053 threatglobe.name 53 apps qapp-1053 - 0
1001 QRadar Assistant 53 apps qapp-1001 - 0
1054 QRadar Use Case Manager 53 apps qapp-1054 - 0
1051 QRadar Log Source Management 53 apps qapp-1051 - 0

Legend:

Symbols:
n - Not Applicable
- - Failure
* - Warning
+ - Success

Checks:
Service:
A - Service exists in the workload file


Remediations:

A on Service qapp-1052:

Confirm the host ID for this app is the same as the host ID for this host. If it is, do a deploy.

A on Service qapp-1053:

Confirm the host ID for this app is the same as the host ID for this host. If it is, do a deploy.

A on Service qapp-1001:

Confirm the host ID for this app is the same as the host ID for this host. If it is, do a deploy.

A on Service qapp-1054:

Confirm the host ID for this app is the same as the host ID for this host. If it is, do a deploy.

A on Service qapp-1051:

Confirm the host ID for this app is the same as the host ID for this host. If it is, do a deploy.

in web interface i have errros when remove or reinstall Log source management application:


How i can delete and install new extensions?

------------------------------
Alexander Rjutin
------------------------------

Hi Alexander

Please try this qappmanager.

/opt/qradar/support/qappmanager ​​

select option 24 for stop and 23 for start  to restart  the APP then try in UI. 
If this doesn't help, you can try to delete APP instance by selecting 30 and 14 for APP definition.


------------------------------
Brian Kwak
------------------------------

Original Message:
Sent: Wed May 18, 2022 12:45 AM
From: Alexander Rjutin
Subject: Can't install or remove Qradar extensions

Hello, can you help me with problem, i can't install or remove any extension in qradar.
[root@qradar dev]# psql -U qradar -c "select id, name, version, hub_id, file_location, content_status from content_package;"
id | name | version | hub_id | file_location | content_status
-----+---------------------------+---------+----------------------------------+-----------------------------------------------------------------+----------------
2 | App Authorization Manager | 1.0.13 | IBMQRadar:OAuthManagement | /store/cmt/exports/20181116121207.zip | 6
301 | extension.name | 7.0.4 | 8169c48dc992961acb8f963cdcf56faa | /store/cmt/exports/QRadarLogsourceManagement-UBI-7.0.4.zip | 5
101 | extension.name | 2.2.3 | 9df9eb09dbbad7bd42d738cc9748b5db | /store/cmt/exports/Pulse-2.2.3-extension-signed.zip | 3
151 | extension.name | 3.0.2 | IBM QRadar Assistant | /store/cmt/exports/QRadarAssistant-3.0.2-signed.zip | 3
1 | extension.name | 1.1.1 | IBM QRadar Assistant | /store/cmt/exports/20181116120152.zip | 6
51 | extension.name | 6.0.0 | 8169c48dc992961acb8f963cdcf56faa | /store/cmt/exports/logsourcemanagement-6.0.0.1194646.zip | 6
201 | extension.name | 2.3.0 | IBMQRadar:Tuning | /store/cmt/exports/UseCaseManagerApp-2.3.0-extension.signed.zip | 3
251 | extension.name | 7.0.4 | 8169c48dc992961acb8f963cdcf56faa | /store/cmt/exports/QRadarLogsourceManagement-UBI-7.0.4.zip | 6
(8 rows)


[root@qradar dev]# /opt/qradar/support/recon ps
&ps.StatusResult{Check:(*ps.StatusCheck)(nil), Message:"error getting response for url https://qradar.ru:9000/v1/api/workloads: Get https://qradar.ru:9000/v1/api/workloads: x509: certificate signed by unknown authority (possibly because of \"crypto/rsa: verification error\" while trying to verify candidate authority certificate \"CONMAN-CA\")", Remediation:"", Value:1}

App-ID Name Managed Host ID Workload ID Service Name Container Name Port
0 Failed to decode workloads - 0
1052 pulse.full_name 53 apps qapp-1052 - 0
1053 threatglobe.name 53 apps qapp-1053 - 0
1001 QRadar Assistant 53 apps qapp-1001 - 0
1054 QRadar Use Case Manager 53 apps qapp-1054 - 0
1051 QRadar Log Source Management 53 apps qapp-1051 - 0

Legend:

Symbols:
n - Not Applicable
- - Failure
* - Warning
+ - Success

Checks:
Service:
A - Service exists in the workload file


Remediations:

A on Service qapp-1052:

Confirm the host ID for this app is the same as the host ID for this host. If it is, do a deploy.

A on Service qapp-1053:

Confirm the host ID for this app is the same as the host ID for this host. If it is, do a deploy.

A on Service qapp-1001:

Confirm the host ID for this app is the same as the host ID for this host. If it is, do a deploy.

A on Service qapp-1054:

Confirm the host ID for this app is the same as the host ID for this host. If it is, do a deploy.

A on Service qapp-1051:

Confirm the host ID for this app is the same as the host ID for this host. If it is, do a deploy.

in web interface i have errros when remove or reinstall Log source management application:


How i can delete and install new extensions?

------------------------------
Alexander Rjutin
------------------------------

i solve problem, in this topic - https://community.ibm.com/community/user/security/communities/community-home/digestviewer/viewthread?GroupId=2497&MessageKey=d1414e07-f4ab-4585-bddd-ef2d500f54ef&CommunityKey=f9ea5420-0984-4345-ba7a-d93b4e2d4864&ReturnUrl=%2fcommunity%2fuser%2fsecurity%2fcommunities%2fcommunity-home%2fdigestviewer%3fcommunitykey%3df9ea5420-0984-4345-ba7a-d93b4e2d4864%26tab%3ddigestviewer 

command
rm -rf /opt/qradar/ca/certs/*; /opt/qradar/ca/bin/reset-qradar-ca.sh all --reset

------------------------------
Alexander Rjutin
------------------------------

Original Message:
Sent: Thu May 19, 2022 03:02 AM
From: Brian Kwak
Subject: Can't install or remove Qradar extensions

Hi Alexander

Please try this qappmanager.

/opt/qradar/support/qappmanager ​​

select option 24 for stop and 23 for start  to restart  the APP then try in UI. 
If this doesn't help, you can try to delete APP instance by selecting 30 and 14 for APP definition.


------------------------------
Brian Kwak

Original Message:
Sent: Wed May 18, 2022 12:45 AM
From: Alexander Rjutin
Subject: Can't install or remove Qradar extensions

Hello, can you help me with problem, i can't install or remove any extension in qradar.
[root@qradar dev]# psql -U qradar -c "select id, name, version, hub_id, file_location, content_status from content_package;"
id | name | version | hub_id | file_location | content_status
-----+---------------------------+---------+----------------------------------+-----------------------------------------------------------------+----------------
2 | App Authorization Manager | 1.0.13 | IBMQRadar:OAuthManagement | /store/cmt/exports/20181116121207.zip | 6
301 | extension.name | 7.0.4 | 8169c48dc992961acb8f963cdcf56faa | /store/cmt/exports/QRadarLogsourceManagement-UBI-7.0.4.zip | 5
101 | extension.name | 2.2.3 | 9df9eb09dbbad7bd42d738cc9748b5db | /store/cmt/exports/Pulse-2.2.3-extension-signed.zip | 3
151 | extension.name | 3.0.2 | IBM QRadar Assistant | /store/cmt/exports/QRadarAssistant-3.0.2-signed.zip | 3
1 | extension.name | 1.1.1 | IBM QRadar Assistant | /store/cmt/exports/20181116120152.zip | 6
51 | extension.name | 6.0.0 | 8169c48dc992961acb8f963cdcf56faa | /store/cmt/exports/logsourcemanagement-6.0.0.1194646.zip | 6
201 | extension.name | 2.3.0 | IBMQRadar:Tuning | /store/cmt/exports/UseCaseManagerApp-2.3.0-extension.signed.zip | 3
251 | extension.name | 7.0.4 | 8169c48dc992961acb8f963cdcf56faa | /store/cmt/exports/QRadarLogsourceManagement-UBI-7.0.4.zip | 6
(8 rows)


[root@qradar dev]# /opt/qradar/support/recon ps
&ps.StatusResult{Check:(*ps.StatusCheck)(nil), Message:"error getting response for url https://qradar.ru:9000/v1/api/workloads: Get https://qradar.ru:9000/v1/api/workloads: x509: certificate signed by unknown authority (possibly because of \"crypto/rsa: verification error\" while trying to verify candidate authority certificate \"CONMAN-CA\")", Remediation:"", Value:1}

App-ID Name Managed Host ID Workload ID Service Name Container Name Port
0 Failed to decode workloads - 0
1052 pulse.full_name 53 apps qapp-1052 - 0
1053 threatglobe.name 53 apps qapp-1053 - 0
1001 QRadar Assistant 53 apps qapp-1001 - 0
1054 QRadar Use Case Manager 53 apps qapp-1054 - 0
1051 QRadar Log Source Management 53 apps qapp-1051 - 0

Legend:

Symbols:
n - Not Applicable
- - Failure
* - Warning
+ - Success

Checks:
Service:
A - Service exists in the workload file


Remediations:

A on Service qapp-1052:

Confirm the host ID for this app is the same as the host ID for this host. If it is, do a deploy.

A on Service qapp-1053:

Confirm the host ID for this app is the same as the host ID for this host. If it is, do a deploy.

A on Service qapp-1001:

Confirm the host ID for this app is the same as the host ID for this host. If it is, do a deploy.

A on Service qapp-1054:

Confirm the host ID for this app is the same as the host ID for this host. If it is, do a deploy.

A on Service qapp-1051:

Confirm the host ID for this app is the same as the host ID for this host. If it is, do a deploy.

in web interface i have errros when remove or reinstall Log source management application:


How i can delete and install new extensions?

------------------------------
Alexander Rjutin
------------------------------