Troubleshooting
Problem
When installing or upgrading IBM Resilient QRadar app 3.5.x and later, the error message, "certificate verify failed" is seen when clicking verify and configure.
Symptom
- In the circuits.log with debug enabled:
[abstract_qpylib] 127.0.0.1 [APP_ID/XXXX][:XXXXXXXXXXX] REST=https://resilient.example.com/api/siem/offenses
…
Json=None verify=/store/XXXcertificateXXX.pem version=None
…
SSLError: (‘bad handshake: Error([(‘SSL routines’, ‘SSL3_GET_SERVER_CERTIFICATE’, ‘certificate verify failed’)],)”,)
- When clicking Verify and Configure in the UI, you get the error message:
QRadar token test failed. ("bad handshake: Error([('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)",)
- Prior versions worked.
- Messages such as these indicating that the app cannot connect to the IBM QRadar console.
Cause
In version 3.5 and later of the app, the app validates every API request to the IBM QRadar console by validating the SSL certificate returned by the IBM QRadar console. Often, there are problems with the SSL certificates on the console and/or IBM QRadar App Host.
Diagnosing The Problem
- Check for the error, bad handshake: Error([(‘SSL routines’, ‘SSL3_GET_SERVER_CERTIFICATE’, ‘certificate verify failed’) within the UI or in the app.log.
- The app.log resides within the container that runs the app. You can get access to the container using instructions in What information is required when engaging support with IBM QRadar/Resilient application problems?
- Verify the certs on console:
for i in $(/opt/qradar/ca/bin/si-qradarca list -print | awk -F, '{print $4}' | sort | uniq); do echo $i; openssl verify -CAfile /etc/pki/tls/cert.pem $i; done
- Verify certs on app host:
for i in $(find /etc/conman/tls /etc/traefik/tls /etc/docker/tls /etc/vault-qrd/tls /etc/httpd/conf/certs /etc/pki/ca-trust/source/anchors -type f \( -name "*.cert" -o -name "*.pem" -o -name "*.crt" \));do echo $i; openssl verify -CAfile /etc/pki/tls/cert.pem $i; done
Errros returned by the two commands indicate a problem with the SSL certificates.
Resolving The Problem
Take a look at QRadar application error: 'Cannot establish secure connection to the console. Check if your QRadar Certificates are setup properly' which describes the requirements to ensure the SSL certificates are configured correctly.
If assistance is required, open a case for the IBM QRadar team to assist you further.
Related Information
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSIP9Q","label":"IBM Security SOAR"},"ARM Category":[{"code":"a8m0z0000001gyGAAQ","label":"Integrations->QRadar app"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
19 April 2021
UID
ibm16234180