IBM Support

QRadar: LDAP Test Connection Failed when using TLS Authentication

Troubleshooting


Problem

Due to the authentication modules deprecation in QRadar®, the administrators must configure an alternative authentication such as Lightweight Directory Access Protocol (LDAP) to authenticate to QRadar®

In the LDAP Authentication tab in the QRadar® UI, a pop-up window displays the following error message: 
image 5809

Symptom

Cause

The LDAP server certificate is not present or was removed from the /opt/qradar/conf/trusted_certificates/ directory.

Environment

QRadar® 7.3.x and later

Diagnosing The Problem

  1. Log in to QRadar® as an administrator.
  2. Click the Admin tab.
  3. Click Authentication.
  4. Review the General Authentication Setting tab to determine whether LDAP is configured.

    LDAP1
     
  5. Ensure that LDAP is configured with the following parameters:
    • LDAP port is set to 389 at the URL
      Note: Secure LDAP uses port 636 as default, and insecure LDAP uses port 389 as default. Substitute the appropriate ports to match the LDAP server ports.
    • SSL Connection is set to false
    • TLS Authentication is set to true

      LDAP2

Resolving The Problem

  1. Using SSH, log in to the system as the root user.
  2. Type the following command to navigate to the right directory:
      
    cd /opt/qradar/conf/trusted_certificates
  3. Run the following command to pull the LDAP certificate from the LDAP server.
    Note: Replace “ldap_host.example.com” with the ldap server FQDN or IP.
    Note: Replace “ad_ldap_server.pem” with your preferred name ending with ".pem" extension. The ".pem" extension is mandatory.
      
    openssl s_client -connect ldap_host.example.com:636 -showcerts </dev/null 2>/dev/null | openssl x509 -outform pem > ad_ldap_server.pem
  4. Verify that the certificate was pulled with the ls command.
      
    [root@qradar01-console trusted_certificates]# ls -l
-rw-rw-r-- 1 nobody nobody 2569 Oct  6  2019 external-scanner_qradar_ibmcloud_com.crt
-rw-r--r-- 1 root   root   2195 Sep  1 14:31 ldap_server.pem
-rw-r--r-- 1 root   root   1147 Jun 22 18:42 syslog-tls.cert
-rw-r--r-- 1 root   root   1704 Jun 22 18:42 syslog-tls.key
  5. Test again on the UI.

Document Location

Worldwide

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]

Document Information

Modified date:
20 November 2020

UID

ibm16324869

Page Feedback