Troubleshooting
Problem
Unable to pair an App Host with sudo manage AppHost installation in IBM Security Orchestration, Automation, and Response (SOAR).
Symptom
Error 401 unauthorized when pairing an App Host with the IBM Security SOAR Server by running manageAppHost installation:
INFO c.i.s.a.c.m.setup.command.InstallCommand - Installing
INFO c.i.s.a.c.m.s.s.i.PrecheckConnectionStep - Verifying connection with App Manager
WARN c.i.s.a.c.m.s.s.i.PrecheckConnectionStep - Unable to verify connection with App Manager AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE (App Host name).
com.ibm.security.apps.manager.client.ManagerClientException: javax.ws.rs.NotAuthorizedException: HTTP 401 Unauthorized
at com.ibm.security.apps.manager.client.internal.ErrorMappingInvocationHandler.invoke(ErrorMappingInvocationHandler.java:72)
at com.sun.proxy.$Proxy57.getApps(Unknown Source)
Cause
There is a time synchronization issue between IBM Security QRadar SOAR and AppHost servers.
Diagnosing The Problem
On App Host server
#cat /var/log/apphost/management-20210723180814595.log
INFO c.i.s.a.c.m.setup.command.CommandBase - Trusted certificate CN=resilient.localdomain
INFO c.i.s.a.c.m.s.s.impl.CreateNamespaceStep - Verifying connection with App Manager
WARN c.i.s.a.c.m.s.s.impl.CreateNamespaceStep - Unable to verify connection with App Manager. com.ibm.security.apps.manager.client.ManagerClientException: javax.ws.rs.ForbiddenException: HTTP 403 Forbidden
at com.ibm.security.apps.manager.client.internal.ErrorMappingInvocationHandler.invoke(ErrorMappingInvocationHandler.java:72) at com.sun.proxy.$Proxy50.getApps(Unknown Source) ++++++++++++++++++
On IBM Security QRadar SOAR server
#cat /usr/share/co3/logs/client-access.log
"GET / HTTP/1.1" 200 1247 6 - - [-] http-nio-443-exec-2
"GET /services_proxy/manager/controllers/AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE/apps HTTP/1.1" 403 93 62 - - [-] http-nio-443-exec-7 +++++++++++++
On IBM Security QRadar SOAR server
#cat /var/log/resilient-app-manager/resilient-app-manger.log
[REQ_ID:N-N-N-N-N] [FROM:X.X.X.X] [FORWARDED-FOR:X.X.X.X] [GET:http://localhost:8082/manager/controllers/AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE/apps] ERROR c.i.s.apps.webtokenutil.WebTokenImpl - Invalid token: expired
[REQ_ID:N-N-N-N-N] [FROM:X.X.X.X] [FORWARDED-FOR:X.X.X.X] [GET:http://localhost:8082/manager/controllers/AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE/apps] WARN c.i.s.a.m.a.j.UnauthorizedExceptionMapper - Unauthorized access detected com.ibm.security.apps.manager.services.exception.UnauthorizedException: null at com.ibm.security.apps.manager.services.api.impl.ControllersApiImpl.getApps(ControllersApiImpl.java:262)
Resolving The Problem
- Run on the App Host server, and the IBM Security QRadar SOAR server if necessary:
Note: wheresudo timedatectl set-timezone TIMEZONETIMEZONEis the wanted time zone configured. You can use optionlist-timezonesfor available options:
Using New York as the time zone as an example:sudo timedatectl list-timezonessudo timedatectl set-timezone America/New_York - Reboot system:
sudo shutdown -r nowAlternate method to reboot:sudo systemctl reboot
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSIP9Q","label":"IBM Security SOAR"},"ARM Category":[{"code":"a8m0z0000001jTpAAI","label":"Integrations-\u003EAppHost"}],"ARM Case Number":"TS006281673","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
06 January 2023
UID
ibm16476982