IBM Support

QRadar: Troubleshooting VA Scanner certificate Issues

How To


Summary

There are a number of issues caused by incorrect certificates downloading third-party scan results. The most common faults are listed, how to investigate and correct the certificate issues.

Objective

The following example errors in QRadar can indicate a certificate issue for your configured scanner:
 
  • Initialization error: Could not initialize scanner
  • IOException caught while executing API call; Error message [Certificate for <...> doesn't match any of the subject alternative names: [_servername_]]
  • com.q1labs.frameworks.crypto.trustmanager.exceptions.Q1CertificateException: checkCertificatePinning failed
  • Initialization error: Could not initialize scanner 'InsightVM_LAB_API': SSL Certificate Error: ensure the certificate for [*.*.*.*:3780] has been added to the Trusted Certificates directory
  • Unable to load X.509 certificate from file /opt/qradar/conf/trusted_certificates/expose_443.crt
  • Wrote file [/opt/qradar/conf/trusted_certificates/_servername__443.crt] but size was 0 bytes

Environment

Diagnosing The Problem

  1. Use SSH to log in to the QRadar appliance that hosts the scanner as the root user.
    Note: If your scanner is not hosted on the Console, administrators must open an SSH session to the Console before you can open a SSH session to another managed host. Direct SSH connections to managed hosts are blocked by default by iptables rules on QRadar appliances.
  2. Search the /var/log/qradar.log file for events of type "vis". - #cat /var/log/qradar.log | grep -i vis
  3. Check for errors that are listed in the examples.
OR
  1. Log in to the QRadar Console as an administrator.
  2. On the Admin tab, Vulnerability Section, Open "Schedule VA Scanners".
  3. The error message is located in the "Status" Column.

Steps

Resolving The Problem

Administrators who experience certificate issues with a vulnerability scanner can complete the following steps:
  1. Log in to the QRadar Console.
  2. Click the Admin tab.
  3. Click the Vulnerability Scanners icon.
  4. Review the Hosts column to confirm the QRadar appliance that has certificates.
    image-20220630234029-1
  5. Use SSH to log in to the QRadar Console as the root user.
  6. Open an SSH session to the QRadar appliance identified in the Host column.
  7. Confirm if the following issues need correction:
    1. Confirm the host has one certificate per configured scanner in the /opt/qradar/conf/trusted_certificates directory. If there are multiple certificates for a single scanner, remote duplicate or unwanted certificates.
    2. Verify the scanner identified in the Name column in the user interface matches the certificate located in /opt/qradar/conf/trusted_certificates. If the names are not identical, rename the cert to match the name in the user interface, if required.
    3. Check that the certificate is not expired with the following command: 
      openssl x509 -in Example_scanner.crt -text -noout
      If the certificate is expired, administrators must remove and download a new certificate from their remote scanner.
    4. Verify that the certificate is not zero bytes in size in the /opt/qradar/conf/trusted_certificates directory. If the file is zero (0) bytes, retrieve a new certificate from the scanner or use the getcert.sh utility to retrieve a certificate from your remote scanner. For more information about supported scanners, see QRadar supported vulnerability scanners.
    5. Confirm the status of the VIS service on the host appliance. VIS is responsible for managing configured scanners and downloading data when scheduled scans start. If the VIS service is not running or corrupted, type the following command to attempt to restart the service: 
      systemctl restart vis

      Result
      The third-party scans are expected to communicate with the providers address. If you continue to experience issues with certificates, service issues, or scans not starting as expected, contact QRadar Support for assistance.

Related Information

QRadar Support

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtKAAQ","label":"QRadar Risk and Vulnerability Manager"}],"ARM Case Number":"TS008086396","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
01 July 2022

UID

ibm16584439

Page Feedback