IBM Security QRadar

 View Only
  • 1.  QRadar SDK 2 Failed to establish a new connection

    Posted Mon February 01, 2021 06:20 PM
    I just installed the QRadar SDK v2.0.2, Our Qradar instance is the AWS 7.4.1 AMI upgraded to FixPack 2. I was able to successfully create a new app workspace with the qapp create command. But running the qapp deploy command gives me the following error: Failed to establish a new connection

    Here is the full output:
    ➜  qradar-test-app git:(master) ✗ qapp deploy -p test-app.zip -u {my-qradar-user} -q {my-public-ip}
    
    Please enter password for user {my-qradar-user}:
    Request to host ip-{my-private-ip}.us-west-2.compute.internal failed:
    HTTPSConnectionPool(host='ip-{my-private-ip}.us-west-2.compute.internal', port=443): Max retries exceeded with url: /api/gui_app_framework/applications (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7fc43007cb50>: Failed to establish a new connection: [Errno 8] nodename nor servname provided, or not known'))

    The main thing that looks off is how it tries to connect to the private DNS for our qradar instance, even when providing the public IP in the deploy command. I've only ever provided the SDK the public IP of our instance, so I'm not sure where it even found the private DNS? Is there a configuration setting in our QRadar instance that sets what the SDK tries to connect to? Is there any other step we may have missed?

    Here is the output from the first time I ran the command, in case I'm missing a step:
    qapp deploy -p test-app.zip -u {my-qradar-user} -q {my-public-ip}
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    No CA certificate bundle found for {my-public-ip}
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    To enable verification of server certificates, the CA certificate bundle must be downloaded from the server
    Do you wish to proceed with the CA certificate bundle download? [Y/n]: Y
    Please answer the following questions detailing how to connect to the server
    Do you use a SOCKS proxy to connect to the server? [y/N]: N
    Enter user ID for connecting to the server [root]: {my-ssh-user}
    Enter {my-public-ip} password for user {my-ssh-user}:
    Initialising transfer of CA certificate bundle from server, please wait...
    100%|##############################################################################################| 226k/226k [00:01<00:00, 193kb/s]
    Transfer complete
    CA certificate bundle for {my-public-ip} saved to /Users/{my-local-user}/.qradar_app_sdk/{my-public-ip}/ca-bundle.crt
    Please enter password for user {my-qradar-user}:
    Request to host ip-{my-private-ip}.us-west-2.compute.internal failed:
    HTTPSConnectionPool(host='ip-{my-private-ip}.us-west-2.compute.internal', port=443): Max retries exceeded with url: /api/gui_app_framework/applications (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7ffb1733dcd0>: Failed to establish a new connection: [Errno 8] nodename nor servname provided, or not known'))​


    ------------------------------
    Wesley Agena
    ------------------------------


  • 2.  RE: QRadar SDK 2 Failed to establish a new connection

    Posted Thu February 04, 2021 12:09 PM
    The first qapp call to my-public-ip downloaded the certs for that server and also stored the internal hostname locally. Subsequent qapp calls to my-public-ip will use the internal hostname under the covers as part of certs validation.

    Try updating your /etc/hosts to include a mapping from my-public-ip to the internal hostname. This is documented in the SDK README under "Server Communication".

    ------------------------------
    Michael Benson
    ------------------------------



  • 3.  RE: QRadar SDK 2 Failed to establish a new connection

    Posted Thu February 04, 2021 03:14 PM
    The first qapp call to my-public-ip downloaded the certs for that server and also stored the internal hostname.

    Subsequent calls to my-public-ip use the internal hostname for the purposes of certs validation.

    Try adding an entry to your /etc/hosts to map my-public-ip to the internal hostname. This is documented in the SDK README under Server Communication.

    ------------------------------
    Michael Benson
    ------------------------------



  • 4.  RE: QRadar SDK 2 Failed to establish a new connection

    Posted Fri February 05, 2021 02:21 PM
    Thank you MIchael, must've missed this while reading through the README. Problem solved, appreciate it!

    ------------------------------
    Wesley Agena
    ------------------------------