IBM Security QRadar

Expand all | Collapse all

Qradar Outage after Installing SSL Certificate

  • 1.  Qradar Outage after Installing SSL Certificate

    Posted Fri October 16, 2020 10:36 AM
    I installed a wild card Certificate and now cannot connect to the GUI. 

    • Tomcat is Active and running
    • Httpd is Active and running 
    • Hostcontext is Active and running 
    • Hostservices is active (exiited)
    Certificate installed OK. 

    The Wild Certificate has 3 Names , but defaults to the *.xxx.xx

    Now I cannot access my GUI to get into the Qradar Console


    ------------------------------
    Innocent Mapanga
    ------------------------------


  • 2.  RE: Qradar Outage after Installing SSL Certificate

    Posted Tue October 20, 2020 11:21 AM
    Edited by Pascal Weber Tue October 20, 2020 11:27 AM
    Hello,

    Strange if all the script applies correctly without any warning or errors.

    Don't know which version of QRadar you are using ?
    if this is a connection issue (FQDN valid, can join 443, machine reachable) ?
    Are your certificates generated from your own PKI or with a provider ?
    Did you check on console, open ports and services. Did you try with different Web browser ?

    The process I use generally myself :

    1. Copying old certs on a backup folder

    2. Getting the new certs 

    3. Certs coming and validated by a public provider
      Verify my .cert or  .pem to check if all my certificates are on it (example : Komodo, Gandi,  RSA), and verifying if all the dates are correct using this command :
      openssl crl2pkcs7 -nocrl -certfile yourcertificate.pem | openssl pkcs7 -print_certs -text -noout | egrep "Certificate:|Subject:|Issuer|Before|After" 

    4. Verify that there are no password on the .key
      To remove passphrase (if there is one) :
       openssl rsa -in key-with-passphrase.key -out key-without-passphrase.key

    5. Then using the script /opt/qradar/bin/install-ssl-cert.sh 
      Then following the automatic procedure with answers
      Reconfiguring restart of httpd with Yes
      Restarting all running services (hostcontext, tomcat)
      Updating deployment
      Event collection restart if using Wincollect
    Then checking if everything is OK.

    Else, open a ticket on the support, there are quality good engineers over there :)

    Hope this helps, 
    Regards,
    zoldax





  • 3.  RE: Qradar Outage after Installing SSL Certificate

    Posted Tue October 20, 2020 11:48 AM
    Edited by Innocent Mapanga Tue October 20, 2020 11:50 AM
    • Don't know which version of QRadar you are using ? - upgraded to 7.4.1
    • So I realized that the wildcard certificate I used defaults to the CN= *.xx.com (which is read as the FQDN by the system) . This is however different from the actual system hostname , so i suppose it  was rejecting it . So i still have a question around this , whether a Wild Card Certificate work for Qradar or it strictly requires Generation of a new certificate which has been created with the "Subject: CN" that  correspond to the Console FQDN.
    • The certificate had been generated from DigiCert 
    • I used  the .pem option
    Qradar Test Environment :

    I tested another certificate which is not a wild card and i have managed  on my Test Environment . The Steps taken are similar to those you provided .

    ------------------------------
    Innocent Mapanga
    ------------------------------



  • 4.  RE: Qradar Outage after Installing SSL Certificate

    Posted Tue October 20, 2020 12:38 PM
    Hello,

    You are on the right way I guess, you have to match the domain XX.com :

    1) To confirm the console FQDN on cert :

    openssl x509 -in /etc/httpd/conf/certs/cert.cert -text -noout | grep -i cn | grep Subject
    Example-> Subject: O=ZOLDAX.LOCAL, CN=qradarlab.zoldax.local

    2) To confirm your console FQDN :
    /opt/qradar/bin/myver -vh
    Example->qradarlab.zoldax.local

    or 

    grep -i fqdn /opt/qradar/conf/nva.conf
    Example->CONSOLE_FQDN=qradarlab.zoldax.local

    For the hostname, I think it doesn't matter because you use *, but the FQDN domain must match the FQDN of your console if you use a wildcard :)
    So you issue is about resolving FQDN/Subject inconsistency. I think you have to contact your certificate authority and request a new certificate which has been created with the "Subject: CN" to correspond to the Console FQDN or change your console info with qchange (don't do it).

    Also :"If you are required to access the Console from an alternate Domain, then you can create a SAN SSL certificate.
    Multi-Domain SSL certificates are only applicable for Public Domains if you are using a public certificate authority, a Public certificate authority cannot sign a non-public Domain. For example, .local
    See the document which outlines how to Multi-Domain (SAN) SSL Certificate: Creating a multi-domain (SAN) SSL certificate signing request"
    Check : https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.4/com.ibm.qradar.doc/t_qradar_adm_multi_domain_ssl_cert.html

    Else, open a ticket on the support, there are quality good engineers over there :)

    Hope this helps,
    Zoldax



    ------------------------------
    @zoldax

    https://www.youracclaim.com/users/pascal-weber.029e134d/badges
    ------------------------------