Troubleshooting
Problem
The use of invalid API keys stops apps from authenticating to IBM Security QRadar SOAR.
Symptom
In a particular client's case, the IBM Security QRadar XDR app for IBM Security QRadar SOAR would not save when the configuration was entered. The app would not connect to IBM Security QRadar SOAR so offenses could not be escalated.
Cause
The client used an invalid API key in the app's configuration. A bad copy and paste from the user interface can cause this.
Diagnosing The Problem
In /usr/share/co3/logs/client.log an authentication error is shown when the app, that uses the invalid API key, attempts to authenticate to the /rest/session endpoint.
Invalid API key
05:38:40.131 [https-jsse-nio2-443-exec-3] ERROR [] com.monaco.ui.server.core.SessionContext - Unknown basic authentication clientId: a090caf8-c467-4a8d-87d2-71ef6f6583dc
05:38:40.133 [https-jsse-nio2-443-exec-3] INFO [] com.co3.web.servlet.Co3ServletFilterBase - Unauthenticated request GET https://soar.domain.com/rest/session
05:38:57.965 [https-jsse-nio2-443-exec-6] ERROR [] com.monaco.ui.server.core.SessionContext - Unknown basic authentication clientId: a090caf8-c467-4a8d-87d2-71ef6f6583dc
Invalid API key secret
10:28:58.053 [http-nio-443-exec-3] WARN [] com.co3.dao.impl.UserDAOImpl - Failed login for API key 'IBM QRadar SOAR plugin': Invalid API key secret
10:28:58.097 [http-nio-443-exec-3] INFO [] com.co3.web.servlet.Co3ServletFilterBase - Unauthenticated request GET https://soar.domain.com/rest/session
API key that has no enabled organization
13:48:58.055 [http-nio-443-exec-5] WARN [] com.co3.dao.impl.UserDAOImpl - Failed login for API key 'Demo api key': API key has no enabled orgs".
13:48:58.099 [http-nio-443-exec-5] INFO [] com.co3.web.servlet.Co3ServletFilterBase - Unauthenticated request GET https://soar.domain.com/rest/session
You can also check the Resilient Circuits log (app.log), which is accessible from the App Host or integration server. If the Resilient Circuits version is before V44.1, the error would be:
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/resilient/co3base.py", line 167, in set_api_key
BasicHTTPException.raise_if_error(response)
File "/usr/local/lib/python3.6/site-packages/resilient/co3base.py", line 64, in raise_if_error
raise BasicHTTPException(response)
resilient.co3base.BasicHTTPException: :
If the Resilient Circuits version is V44.1 or later, the error would be:
resilient.co3base.BasicHTTPException: 'resilient' API Request FAILED:
Response Code: 401
Reason: Unauthorized. Either the API Key has been blocked, the API Credentials are incorrect or the IP address has been banned. Please review the SOAR logs for more information
Resolving The Problem
Either, the API key secret can be regenerated or a new API key created.
Regenerate the API key.
- Go to the Users tab then click API Keys.
- Click the API key that you want to regenerate. Scroll down to see the API Key Details of the account.
- Click Regenerate API Key Secret then click Regenerate API Key Secret in the drop-down menu. The ID remains the same but a new secret is generated.
- In the API Key Credentials, click Copy to Clipboard.
Create a new API key
- Go to the Users tab then click API Keys.
- Click the Create API Key button.
- From the Create API Key screen, enter the display name for the API key account. This must be unique in the organization. This is the name for the key that is shown on the Administrator Settings > Users > API Keys. Optionally, you can enter a description. From the Permissions section, assign the required permissions for the API key that you are creating. Click Create. The API key credentials are displayed.
- Make a note of the credentials and store them safely as you cannot retrieve them after you click OK. Then click OK to proceed.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSA230","label":"IBM Security QRadar SOAR"},"ARM Category":[{"code":"a8m0z000000cvfWAAQ","label":"Authentication"}],"ARM Case Number":"TS008639980","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEGM63","label":"IBM Security QRadar SOAR on Cloud"},"ARM Category":[{"code":"a8m0z000000cvfWAAQ","label":"Authentication"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
19 April 2022
UID
ibm16562213