QRadar XDR

Expand all | Collapse all

Apphost unable to communicate with qradar Api

  • 1.  Apphost unable to communicate with qradar Api

    Posted Fri January 15, 2021 01:17 AM
      |   view attached
    Hello Experts,

    Most of my heavy apps like UBA, Pulse, QDI on my AppHost are not processing new data, so i want to troubleshoot this issue using the recon utility tool.

    I ssh into my Apphost and ran the command "/opt/qradar/support/recon ps" to list my containers along side the APP-id, but i get the error message "Unable to communicate with API".

    I had installed a certificate from a public CA on my QRadar console, so I tried fixing this by copying the certificate into the /etc/pki/ca-trust/source/anchors on my Apphost, after which I ran the command to update the truststore "/opt/qradar/support/all_servers.sh update-ca-trust" from the console cli. I also restarted the docker "systemctl restart docker".

    I enter the command again "/opt/qradar/support recon ps" but i received the same error message as mentioned.

    I tried getting the app-IDs from the GUI via the API interface, but I received no output when I clicked the "try it out" button.

    Please assist, this is urgent!!, Most of my Apps are not receiving new feed (data)

    Thank You

    ------------------------------
    benjamin Nworah
    ------------------------------


  • 2.  RE: Apphost unable to communicate with qradar Api

    Posted Fri January 15, 2021 06:13 AM
    Benjamin,
    you obviously broke SSL communication with your app host. Please follow https://www.ibm.com/support/pages/node/6221256 for troubleshooting certificates.
    Replace your certificates with QRadar type certs 1st to get your API working again.
    Follow the steps to verify your custom certificate outside working hours after reinstalling it.
    Dont execute steps like this on your production systems but set an evaluation system based on satandard license being generated during install or better use your IBM business partner license for testing.
    Regards
    Karl

    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------



  • 3.  RE: Apphost unable to communicate with qradar Api

    Posted Fri January 15, 2021 07:29 AM
    Hello Karl,

    I have already done these steps as mentioned above, except to verify the below command. Should i run the below command on the Apphost?

    Regards,
    openssl verify -CAfile /etc/pki/tls/cert.pem /etc/httpd/conf/certs/cert.cert


    ------------------------------
    benjamin Nworah
    ------------------------------



  • 4.  RE: Apphost unable to communicate with qradar Api

    Posted Fri January 15, 2021 09:26 AM
    Benjamin, you should verify certificate using openssl on the console as instructed. Pls check all attributes as outlined.

    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------



  • 5.  RE: Apphost unable to communicate with qradar Api

    Posted Mon January 18, 2021 03:49 AM
    Edited by benlinux Mon January 18, 2021 03:53 AM
    Hello Karl,

    When i run the command openssl verify -CAfile /etc/pki/tls/cert.pem /etc/httpd/conf/certs/cert.cert"
    I received "Unable to get the issuer certificate". It was "OK" before now.


    Thank you.


    ------------------------------
    benjamin Nworah
    ------------------------------



  • 6.  RE: Apphost unable to communicate with qradar Api

    Posted Mon January 18, 2021 05:58 AM
    Hello Karl,

    I followed the procedure by moving the certificate (in cer format) to the /etc/pki/ca-trust/source/anchors and update the trust store.

    - cp qradar.cer /etc/pki/ca-trust/source/anchors

    - update-ca-trust

    Also Ran:

    /opt/qradar/support/all_servers.sh update-ca-trust.

    -when i rerun the openssl verify -CAfile /etc/pki/tls/cert.pem /etc/httpd/conf/certs/cert.cert

    i got unable to get the issuer certificate.

    Note:  i am using a commercial certificate.

    i can access the qradar console securely.

    ------------------------------
    benjamin Nworah
    ------------------------------



  • 7.  RE: Apphost unable to communicate with qradar Api

    Posted Sun January 17, 2021 04:38 PM
    Hi Benjamin,
    additional you'll have to make sure, that the chain of your certificate is complete and the verify result is ok.

    Regards,
    Ralph

    ------------------------------
    Ralph Belfiore
    IT Security Senior Consulting
    pro4bizz GmbH
    Karlsruhe
    +49 721 90981720
    ------------------------------



  • 8.  RE: Apphost unable to communicate with qradar Api

    Posted Mon January 18, 2021 05:09 AM
    Hello,

    When i run the command openssl verify -CAfile /etc/pki/tls/cert.pem /etc/httpd/conf/certs/cert.cert"
    I received "Unable to get the issuer certificate". It was "OK" before now.

    We are using a commercial certificate, and we can access the Qradar console securely from our systems with this same certificate.

    Regards,


    ------------------------------
    benjamin Nworah
    ------------------------------



  • 9.  RE: Apphost unable to communicate with qradar Api

    Posted Mon January 18, 2021 06:28 AM
    Edited by Ralph Belfiore Mon January 18, 2021 08:31 AM
    Hi Benjamin,

    please make sure, your certificate chain is valid and the certificate has the matching format of DER. If not, try to reformat the certificate like:
    openssl x509 -inform PEM -in yourcommcertificate.cer -outform DER -out yourcommcertificate.crt


    Regards,
    Ralph

    ------------------------------
    Ralph Belfiore
    IT Security Senior Consulting
    pro4bizz GmbH
    Karlsruhe
    +49 721 90981720
    ------------------------------



  • 10.  RE: Apphost unable to communicate with qradar Api

    Posted Mon January 18, 2021 08:59 AM
    Edited by benlinux Mon January 18, 2021 08:59 AM
    Hello Ralp,

    I am not using a DER format. so i didn't need to bother about converting it to a PEM format as stated below.

    https://www.ibm.com/support/knowledgecenter/SS42VS_7.4/com.ibm.qradar.doc/t_qradar_adm_ssl_installing.html

    Regards,

    ------------------------------
    benjamin Nworah
    ------------------------------



  • 11.  RE: Apphost unable to communicate with qradar Api

    Posted Mon January 18, 2021 10:28 AM

    This probably won't help you, but I thought I would pass it along just in case. When you put your new cert in place, did you put all the intermediate certs in place as well? 

     

    Also, when requesting the cert did you put in all the required fields in the request? When I replaced my QRadar generated cert, the new cert failed and support told me you had to put in all the fields  for a multi-domain cert in the request for it to work.  Support has a cert request template that has all the required fields.  A quick test is to check in the GUI when you connect to QRadar using your new cert and see if the cert is good or not by looking at the lock emblem. If the cert is trusted by your browser than it might be OK.

     

    Also, did you do a full deploy after replacing the cert?  I have found that clears up things like this sometimes, but it has to be a FULL deploy.

     

    Daniel Sichel, Security Engineer, CISSP #422810

    Community Medical Centers

    Compliance Office – Information Systems Security

    1540 E. Shaw, Suite 101, Fresno CA. 93710

    Phone: (559) 724-4265 ext. 24265 | Fax: 559-724-4271

    Cell: (559) 230-9444

    dsichel@communitymedical.org

     

     



    ------------------------------- WARNING/CONFIDENTIAL: -------------------------------

    This email, including attachments, may contain information that is privileged, confidential,
    and/or exempt from disclosure under applicable law (including, but not limited to, protected
    health information). It is not intended for transmission to, or receipt by, any unauthorized
    persons. If the reader of this message is not the intended recipient you are hereby notified
    that any dissemination, distribution or copying of this communication is strictly prohibited.
    If you believe this email was sent to you in error, do not read it. Reply to the sender informing
    them of the error and then destroy all copies and attachments of the message from your system.
    Thank you.





  • 12.  RE: Apphost unable to communicate with qradar Api

    Posted Mon January 18, 2021 10:40 AM
    Hello Daniel,

    Thank you for the imput. I am surprise that via the QRadar GUI, the lock emblem is present (i.e red locked), but when i run the command 
    openssl verify -CAfile /etc/pki/tls/cert.pem /etc/httpd/conf/certs/cert.cert
    i see "unable to get issuer certificate". I never knew this error, until i noticed my apps like uba, pulse are not processing data. I wanted to perform some troubleshooting by running the /opt/qradar/bin/recon ps and i received "unable to communicate with Qradar API". 

    My intention is to restart the Apps but i need to know the app-id, which i wanted to obtain using the "recon ps" command

    I am using a third party certificate.

    ------------------------------
    benjamin Nworah
    ------------------------------



  • 13.  RE: Apphost unable to communicate with qradar Api

    Posted Mon January 18, 2021 12:28 PM

    Benjamin,

     

    If I understand properly, than it sounds like your third party certificate is broken.  As I mentioned, I had this issue as well when installing a third party certificate. The only resolution was to have them re-issue it using the request template provided by IBM support, which I believe is a custom ssl.cnf file. There are some particular requirements.  You are basically using the multi-domain request instructions per the documentation. There are some additional requirements. As best I recall you must have alternative names in a specific format and there are some capitalization requirements for certain fields.   I can't find the ssl.cnf file that tech support supplied,  but maybe you can get that from them and use it for your cert request.

     

    Dan Sichel

     






  • 14.  RE: Apphost unable to communicate with qradar Api

    Posted Mon January 18, 2021 12:39 PM
    Hello Danie,

    Thank you. So you suggest i open a support ticket with IBM to issue the request template.?

    Regards,

    ------------------------------
    benjamin Nworah
    ------------------------------



  • 15.  RE: Apphost unable to communicate with qradar Api

    Posted Mon January 18, 2021 03:49 PM
    Hi Benjamin,

    did you optionally consider this step out of the "installing a new ssl cerfificate"?

    ...
    If you are installing a certificate that was not generated by QRadar or reinstalling an overwritten certificate that was not generated by QRadar, disable the CA framework from monitoring and automatically replacing the certificate. To do this, edit the /opt/qradar/ca/conf.d/httpd.json file and set the CertSkip property to true and the CertMonitorThresholdproperty to 0. For example:
    {
      "ServiceName": "httpd",
      "CertDir": "/etc/httpd/conf/certs",
      "CertName": "cert",
      "ServiceCommand": "/opt/qradar/bin/install-ssl-cert.sh --deploy",
      "CASkip": "true",
      "CertSkip": "true",
      "CertMonitorThreshold": 0 
    }

    Regards,
    Ralph

    ------------------------------
    Ralph Belfiore
    IT Security Senior Consulting
    pro4bizz GmbH
    Karlsruhe
    +49 721 90981720
    ------------------------------



  • 16.  RE: Apphost unable to communicate with qradar Api

    Posted Tue January 19, 2021 07:11 AM
    Hello Raph,

    I did this already, but i checked again to confirm that the CertSkip is set to true, but the other parameter "CertMonitorThreshold"is missing.

    Regards,

    ------------------------------
    benjamin Nworah
    ------------------------------



  • 17.  RE: Apphost unable to communicate with qradar Api

    Posted Fri August 20, 2021 10:23 AM
    Hello Benjamin

    Could you share what was the solution for your issue.
    I'm facing the same.


    ------------------------------
    Darkhan Kanafin
    ------------------------------