IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Error while testing JDBC connection

    Posted Thu June 08, 2023 02:36 AM

    Hello everyone,

    I am testing JDBC protocol in IBM QRadar, I see the following error in GUI:

    Debug: Attempting connection with JDBC connection string [jdbc:oracle:thin:@<db name>] with a connection timeout of [10] seconds.

    When I check the qradar.error file, I see following error in the file:

    Jun  8 10:16:53 ::ffff:<ip_address> [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4c656c1c-dee4-420d-8c7e-72bf006d4268] com.q1labs.semsources.sources.jdbc.testing.JDBCProtocolTester: [ERROR] [NOT:0000003000][<ip_address>/- -] [-/- -]java.lang.ArrayIndexOutOfBoundsException: Array index out of range: 64
    Jun  8 10:16:53 ::ffff:<ip_address> [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4c656c1c-dee4-420d-8c7e-72bf006d4268] java.lang.RuntimeException: java.lang.ArrayIndexOutOfBoundsException: Array index out of range: 64
    Jun  8 10:16:53 ::ffff:<ip_address> [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4c656c1c-dee4-420d-8c7e-72bf006d4268]    at oracle.security.o3logon.a.a(Unknown Source)
    Jun  8 10:16:53 ::ffff:<ip_address> [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4c656c1c-dee4-420d-8c7e-72bf006d4268]    at oracle.security.o3logon.b.g(Unknown Source)
    Jun  8 10:16:53 ::ffff:<ip_address> [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4c656c1c-dee4-420d-8c7e-72bf006d4268]    at oracle.security.o3logon.O3LoginClientHelper.getEPasswd(Unknown Source)
    Jun  8 10:16:53 ::ffff:<ip_address> [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4c656c1c-dee4-420d-8c7e-72bf006d4268]    at oracle.jdbc.driver.T4CTTIoauthenticate.doOAUTHWithO3Logon(T4CTTIoauthenticate.java:1682)
    Jun  8 10:16:53 ::ffff:<ip_address> [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4c656c1c-dee4-420d-8c7e-72bf006d4268]    at oracle.jdbc.driver.T4CTTIoauthenticate.doOAUTH(T4CTTIoauthenticate.java:1224)
    Jun  8 10:16:53 ::ffff:<ip_address> [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4c656c1c-dee4-420d-8c7e-72bf006d4268]    at oracle.jdbc.driver.T4CTTIoauthenticate.doOAUTH(T4CTTIoauthenticate.java:1173)
    Jun  8 10:16:53 ::ffff:<ip_address> [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4c656c1c-dee4-420d-8c7e-72bf006d4268]    at oracle.jdbc.driver.T4CConnection.authenticateUserForLogon(T4CConnection.java:1030)
    Jun  8 10:16:53 ::ffff:<ip_address> [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4c656c1c-dee4-420d-8c7e-72bf006d4268]    at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:646)
    Jun  8 10:16:53 ::ffff:<ip_address> [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4c656c1c-dee4-420d-8c7e-72bf006d4268]    at oracle.jdbc.driver.PhysicalConnection.connect(PhysicalConnection.java:1032)
    Jun  8 10:16:53 ::ffff:<ip_address> [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4c656c1c-dee4-420d-8c7e-72bf006d4268]    at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:90)
    Jun  8 10:16:53 ::ffff:<ip_address> [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4c656c1c-dee4-420d-8c7e-72bf006d4268]    at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:681)
    Jun  8 10:16:53 ::ffff:<ip_address> [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4c656c1c-dee4-420d-8c7e-72bf006d4268]    at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:602)
    Jun  8 10:16:53 ::ffff:<ip_address> [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4c656c1c-dee4-420d-8c7e-72bf006d4268]    at java.sql.DriverManager.getConnection(DriverManager.java:675)
    Jun  8 10:16:53 ::ffff:<ip_address> [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4c656c1c-dee4-420d-8c7e-72bf006d4268]    at java.sql.DriverManager.getConnection(DriverManager.java:258)
    Jun  8 10:16:53 ::ffff:<ip_address> [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4c656c1c-dee4-420d-8c7e-72bf006d4268]    at com.q1labs.semsources.sources.jdbc.testing.tests.TestJDBC.run(TestJDBC.java:114)
    Jun  8 10:16:53 ::ffff:<ip_address> [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4c656c1c-dee4-420d-8c7e-72bf006d4268]    at com.q1labs.semsources.sources.testing.base.ProtocolTesterExtended.runTest(ProtocolTesterExtended.java:220)
    Jun  8 10:16:53 ::ffff:<ip_address> [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4c656c1c-dee4-420d-8c7e-72bf006d4268]    at com.q1labs.semsources.sources.testing.base.ProtocolTesterExtended.runTests(ProtocolTesterExtended.java:236)
    Jun  8 10:16:53 ::ffff:<ip_address> [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4c656c1c-dee4-420d-8c7e-72bf006d4268]    at com.q1labs.semsources.sources.testing.base.ProtocolTesterExtended.start(ProtocolTesterExtended.java:81)
    Jun  8 10:16:53 ::ffff:<ip_address> [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4c656c1c-dee4-420d-8c7e-72bf006d4268]    at com.q1labs.semsources.sources.base.testing.ProtocolTestJob$TestThread.runTests(ProtocolTestJob.java:215)
    Jun  8 10:16:53 ::ffff:<ip_address> [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4c656c1c-dee4-420d-8c7e-72bf006d4268]    at com.q1labs.semsources.sources.base.testing.ProtocolTestJob$TestThread.run(ProtocolTestJob.java:194)
    Jun  8 10:16:53 ::ffff:<ip_address> [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4c656c1c-dee4-420d-8c7e-72bf006d4268] Caused by: java.lang.ArrayIndexOutOfBoundsException: Array index out of range: 64
    Jun  8 10:16:53 ::ffff:<ip_address> [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4c656c1c-dee4-420d-8c7e-72bf006d4268]    at java.lang.System.arraycopy(Native Method)
    Jun  8 10:16:53 ::ffff:<ip_address> [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4c656c1c-dee4-420d-8c7e-72bf006d4268]    ... 20 more

    Is there anyone who knows how can I solve the issue or troubleshoot it?

    PS. Log Source Type - Oracle RDBMS Audit Record

          Protocol Type - JDBC


    ------------------------------
    Tahir Yagubov
    ------------------------------


  • 2.  RE: Error while testing JDBC connection

    Posted Thu June 08, 2023 04:07 PM

    This is likely going to need a case with logs to fully troubleshoot. One of the strange issues we see around this type of error is when there is a timezone mismatch when we attempt to poll the remote Oracle DB. 

    Things we typically check when these types of issues occur:

    1. Confirm the user has the latest JDBC protocol installed.
    2. Check that port 1521 is open and successfully polls. There are instances when the Test button can fail, but events are actually incoming due to how the call is made from QRadar, so we typically telnet on the port and also check traceroute. 
    3. Check marker files.
    4. Check JAR file paths and locations.

    As I mentioned, this is not something that is easy to diagnose with out full logs. We likely will request to put this protocol in to debug and watch the queries and ensure that it isn't s ciphers issue, a handshake issue, or one of the items I listed above. I know it doesn't help diagnose the problem, but we likely want to get the full logs and then confirm these issues. 



    ------------------------------
    Jonathan Pechta
    QRadar Support Content Lead
    Support forums: ibm.biz/qradarforums
    jonathan.pechta1@ibm.com
    ------------------------------

    Original Message