Troubleshooting
Problem
If a file called consolecert.pem is present in the plug-in's app container and this file is different from the SSL certificate of the QRadar console, the plug-in is not able to communicate securely with the QRadar console.
Symptom
An error is returned when configuring the plug-in stopping the configuration from being saved.
Cause
This error can be seen when the QRadar console's SSL certificate changes. A change of the certificate does not update consolecert.pem, which the app uses to verify the connection between the app and the console. With there now being a difference, an SSL error is returned and the app cannot communicate with the console.
Environment
Seen in plug-in versions 3.5.2 and earlier.
Diagnosing The Problem
Get access to the plug-in's logs using the document, MustGather: How to retrieve logs and enable debug logging on IBM Security SOAR for IBM QRadar Integration App
Once you have the logs, look at the app.log.
This error is seen when clicking the "Save" button in the plug-in's configuration screen.
2022-04-18 10:50:26,113 [abstract_qpylib.log] [Thread-17673] [INFO] - 127.0.0.1 [APP_ID/1234][NOT:0000006000] admin_screen
2022-04-18 10:50:26,135 [qradar_api_client._rest] [Thread-17673] [ERROR] - Traceback (most recent call last):
File "/app/apis/qradar_api_client.py", line 164, in _rest
response = self._perform_request(full_url, method, headers, data, json_data)
File "/app/apis/qradar_api_client.py", line 186, in _perform_request
return qpylib.strategy().REST(method, full_url, headers=headers, data=data, json_inst=json_data)
File "/app/qpylib/live_qpylib.py", line 135, in REST
timeout=timeout, verify=verify)
File "/app/qpylib/abstract_qpylib.py", line 55, in RESTget
data=data, json=json_inst, timeout=timeout)
File "/root/.local/lib/python2.7/site-packages/requests/api.py", line 70, in get
return request('get', url, params=params, **kwargs)
File "/root/.local/lib/python2.7/site-packages/requests/api.py", line 56, in request
return session.request(method=method, url=url, **kwargs)
File "/root/.local/lib/python2.7/site-packages/requests/sessions.py", line 488, in request
resp = self.send(prep, **send_kwargs)
File "/root/.local/lib/python2.7/site-packages/requests/sessions.py", line 609, in send
r = adapter.send(request, **kwargs)
File "/root/.local/lib/python2.7/site-packages/requests/adapters.py", line 497, in send
raise SSLError(e, request=request)
SSLError: ("bad handshake: Error([('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)",)
This error is seen when you attempt to manually escalate an offense.
2022-04-18 12:48:35,829 [abstract_qpylib.log] [Thread-17929] [INFO] - 127.0.0.1 [APP_ID/1234][NOT:0000006000] Querying for offense: 12345
2022-04-18 12:48:35,846 [qradar_api_client._rest] [Thread-17929] [ERROR] - Traceback (most recent call last):
File "/app/apis/qradar_api_client.py", line 164, in _rest
response = self._perform_request(full_url, method, headers, data, json_data)
File "/app/apis/qradar_api_client.py", line 186, in _perform_request
return qpylib.strategy().REST(method, full_url, headers=headers, data=data, json_inst=json_data)
File "/app/qpylib/live_qpylib.py", line 135, in REST
timeout=timeout, verify=verify)
File "/app/qpylib/abstract_qpylib.py", line 55, in RESTget
data=data, json=json_inst, timeout=timeout)
File "/root/.local/lib/python2.7/site-packages/requests/api.py", line 70, in get
return request('get', url, params=params, **kwargs)
File "/root/.local/lib/python2.7/site-packages/requests/api.py", line 56, in request
return session.request(method=method, url=url, **kwargs)
File "/root/.local/lib/python2.7/site-packages/requests/sessions.py", line 488, in request
resp = self.send(prep, **send_kwargs)
File "/root/.local/lib/python2.7/site-packages/requests/sessions.py", line 609, in send
r = adapter.send(request, **kwargs)
File "/root/.local/lib/python2.7/site-packages/requests/adapters.py", line 497, in send
raise SSLError(e, request=request)
SSLError: ("bad handshake: Error([('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)",)
2022-04-18 12:48:35,847 [qradar_api_client.get_offense] [Thread-17929] [WARNING] - Could not retrieve offense 12345
Both API calls use qradar_api_client._rest, which is a connection to the QRadar console, not to QRadar SOAR.
Check to see if consolecert.pem is present. You must find out the application ID. You can obtain the application ID in a number of ways
- From the app.log -> [APP_ID/1234]
- From opening the plug-in configuration page in the QRadar console's Admin tab and looking at the URL -> https://<QRadar server IP/FQDN>/console/plugins/***/app_proxy/admin_screen
- QRadar: About the qappmanager support utility
- How to check if a QRadar Application (App) is running
- QRadar: Starting and stopping an application from the API
On the console or App Host, where ever the plug-in is installed, run ls -alrt /store/docker/volumes/<qapp-****>/ removing <qapp-****> replacing it with the app ID you found, such as, qapp-1234.
Resolving The Problem
If consolecert.pem is found, rename the file and restart the app.
- Run mv /store/docker/volumes/<qapp-****>/consolecert.pem /store/docker/volumes/<qapp-****>/consolecert.pem.old from your console or App Host server
- Restart the app by using one of the previous methods
- Check if you can save the configuration of the app and that you can escalate offenses.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSA230","label":"IBM Security QRadar SOAR"},"ARM Category":[{"code":"a8m0z0000001gyGAAQ","label":"Integrations-\u003EQRadar app"}],"ARM Case Number":"TS009082825","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEGM63","label":"IBM Security QRadar SOAR on Cloud"},"ARM Category":[{"code":"a8m0z0000001gyGAAQ","label":"Integrations-\u003EQRadar app"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
25 May 2022
UID
ibm16589923