Troubleshooting
Problem
Applications or functions, do not connect to SOAR, CP4S or QRadar Suite because the host name and the SSL certificates do not match.
Symptom
The following is seen in the application's logs.
2024-03-08 07:36:23,435 WARNING [connection] [MainThread] Certificate did not match expected hostname: x.x.x.x. Certificate: {'subject': ((('commonName', 'resilient.localdomain'),),), 'issuer': ((('commonName', 'resilient.localdomain'),),), 'version': 3, 'serialNumber': '02F0B449', 'notBefore': 'Feb 26 16:01:59 2024 GMT', 'notAfter': 'Feb 25 16:01:59 2025 GMT', 'subjectAltName': (('DNS', 'resilient.localdomain'),)}
2024-03-08 07:36:23,435 WARNING [api] [MainThread] SSLError: HTTPSConnectionPool(host='x.x.x.x', port=443): Max retries exceeded with url: /rest/session?include_permissions=false (Caused by SSLError(CertificateError("hostname 'x.x.x.x' doesn't match 'resilient.localdomain'"))) in resilient.co3base.BaseClient.set_api_key.<locals>.__set_api_key, retrying in 2 seconds...
The application does not work and configuration test does not complete.
Cause
With any client tries to connect securely to an endpoint, checks are made to ensure that the endpoint is what you intend to connect to.
One of the checks is to see if the host name matches the SSL certificate returned. When it checks the SSL certificate it checks to see if the host value, which in this case is an IP address, is listed as the common name or in the subject alternate name fields of the SSL certificate.
The common name of an SSL certificate cannot be an IP address, see RFC 2818. It will then check if the IP address is listed in the subject alternate name field. If it is not in the subject alternate name field then the connection will not be verified and the error returned.
[resilient]
api_key_id = dd28bf60-870f-4d67-a1dc-d88e28e49b08
api_key_secret = $API_KEY_SECRET
cafile = /etc/rescircuits/cert.cer
host = x.x.x.x
port = 443
org = Organisation1
Diagnosing The Problem
To access the logs for an application, which is in the App Host container, go to the application's Details tab and click Download Logs.
Review the logs and look for problems at the time you test the configuration.
Does your SSL certificate match the values set in the app.config? You can get the SSL certificate details from your web browser.
Resolving The Problem
For production systems, you should update the app.config with a FQDN which matches the SSL certificate used by the endpoint. This way, when the application checks the validity of the connection the host value will with match the common name or it is listed in the subject alternate name fields of the SSL certificate.
If the endpoint's host name is not in the network Domain Name Server, you can add the host name to the server hosting the App Hosts as follows. The <ip_address> is the address of the server you wish to access, and <hostname> is the name of the server. If a server has multiple names, you can add each name using
--hostname as shown in the command.
sudo manageAppHost dns --set --ip <ip_address> --hostname <hostname1> --hostname <hostname2>
If you are using the default SSL certificate of CN=resilient.localdomain, then you will need to add this value by running the following command. Replace with the correct IP address.
sudo manageAppHost dns --set --ip <ip_address> --hostname resilient.localdomain
In a production environment you should not use the default self signed certificate opting for a properly signed certificate.
If you are not using a production system and want to connect to SOAR, CP4S or QRadar Suite, and you trust the host value you have set in the app.config, you can use cafile = False to instruct the function not to perform these checks.
[resilient]
api_key_id = dd28bf60-870f-4d67-a1dc-d88e28e49b08
api_key_secret = $API_KEY_SECRET
#cafile = /etc/rescircuits/cert.cer
cafile = False
host = x.x.x.x
port = 443
org = Organisation1
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSA230","label":"IBM Security QRadar SOAR"},"ARM Category":[{"code":"a8m0z000000cvqKAAQ","label":"Integrations"}],"ARM Case Number":"TS015650050","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEGM63","label":"IBM Security QRadar SOAR on Cloud"},"ARM Category":[{"code":"a8m0z000000cvqKAAQ","label":"Integrations"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTDPP","label":"IBM Cloud Pak for Security"},"ARM Category":[{"code":"a8m0z0000001h8pAAA","label":"Support-\u003ECases"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
08 March 2024
UID
ibm17131004