IBM QRadar

Dear Team,

How to View old Authorized token values attached screenshot attached

------------------------------
Khaleel Ebrahim
------------------------------

There is an authorized service table in the database that has the token, but it is encrypted. You'd have to open a case in support to have this reviewed. Optionally, you could create another token and record the value and update your apps, if required. We have a method to decrypt the token in support for the authorized service, but you need to open a case for us to handle this with you on a WebEx. I'm assuming that the token is just expired and you did not delete the user and try to re-create it. 

After you get the auth token from support, you can test it to confirm it works with curl: curl -k -X GET -H 'SEC: <Authorized Service Token>' -v 'https://YourConsoleIP/api/help/endpoints' 

------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com
------------------------------

Original Message:
Sent: Thu October 05, 2023 03:36 AM
From: Khaleel Ebrahim
Subject: View old Authorized token values

Dear Team,

How to View old Authorized token values attached screenshot attached

------------------------------
Khaleel Ebrahim
------------------------------

Hi Jonathan,

Thanks for your response. I would like to use it in the wicollect. i am assuming in the qradar old version we can view authorized token am I right?

Also one more question how do i know whether the wincollect installed is managed or standalone from Qradar its self.?

------------------------------
Khaleel Ebrahim
------------------------------

Original Message:
Sent: Fri October 06, 2023 11:23 AM
From: Jonathan Pechta
Subject: View old Authorized token values

There is an authorized service table in the database that has the token, but it is encrypted. You'd have to open a case in support to have this reviewed. Optionally, you could create another token and record the value and update your apps, if required. We have a method to decrypt the token in support for the authorized service, but you need to open a case for us to handle this with you on a WebEx. I'm assuming that the token is just expired and you did not delete the user and try to re-create it. 

After you get the auth token from support, you can test it to confirm it works with curl: curl -k -X GET -H 'SEC: <Authorized Service Token>' -v 'https://YourConsoleIP/api/help/endpoints' 

------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com

Original Message:
Sent: Thu October 05, 2023 03:36 AM
From: Khaleel Ebrahim
Subject: View old Authorized token values

Dear Team,

How to View old Authorized token values attached screenshot attached

------------------------------
Khaleel Ebrahim
------------------------------

Be aware, the authorized service token for WinCollect is tuned for permissions so that it only allows functionality required for WinCollect managed agents. You could just create a new authorized service token, then use this technical note to re-encode it on the Windows host with WinCollect: https://www.ibm.com/support/pages/qradar-updating-wincollect-authentication-token 

If you want to confirm if you are in standalone mode or managed, I typically log in to the Windows host, look at the C:\Program Files\IBM\WinCollect\config\install.txt file.

- If ConfigurationServer={blank} you are in standalone mode.
- If ConfigurationServer={IPADDRESS_or_HOSTNAME} you are in managed mode.

If you are in managed, you'll need to use your authorized service token (you can create a new one with WinCollect security profile assigned), then use the installhelper.exe tool to update your agent with your new authorized service token. This would need to be done on each WinCollect agent you have deployed. 

Edit
Adding a method if you are on WinCollect 10 to easily confirm you are in stand alone mode.
1. Log in to the WinCollect 10 agent.
2. Click Log Viewer.
3. Type stand alone in the search box and select Code as the type.

Results

• If no value is returned, you are in managed mode.
• If a value is returned, you are in stand alone mode.

------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com
------------------------------

Original Message:
Sent: Sun October 08, 2023 03:22 AM
From: Khaleel Ebrahim
Subject: View old Authorized token values

Hi Jonathan,

Thanks for your response. I would like to use it in the wicollect. i am assuming in the qradar old version we can view authorized token am I right?

Also one more question how do i know whether the wincollect installed is managed or standalone from Qradar its self.?

------------------------------
Khaleel Ebrahim

Original Message:
Sent: Fri October 06, 2023 11:23 AM
From: Jonathan Pechta
Subject: View old Authorized token values

There is an authorized service table in the database that has the token, but it is encrypted. You'd have to open a case in support to have this reviewed. Optionally, you could create another token and record the value and update your apps, if required. We have a method to decrypt the token in support for the authorized service, but you need to open a case for us to handle this with you on a WebEx. I'm assuming that the token is just expired and you did not delete the user and try to re-create it. 

After you get the auth token from support, you can test it to confirm it works with curl: curl -k -X GET -H 'SEC: <Authorized Service Token>' -v 'https://YourConsoleIP/api/help/endpoints' 

------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com

Original Message:
Sent: Thu October 05, 2023 03:36 AM
From: Khaleel Ebrahim
Subject: View old Authorized token values

Dear Team,

How to View old Authorized token values attached screenshot attached

------------------------------
Khaleel Ebrahim
------------------------------