Troubleshooting
Problem
On the QRadar Console, when you select an application an error message displays, 'Cannot establish secure connection to the console. Check if your QRadar Certificates are setup properly'. This error message can be caused by missing certificate chains on the Console or App Host appliance. The application's container cannot verify the certificates required to collect data from the QRadar API.
Symptom
The application tab in the user interface displays a, "Cannot establish secure connection to the console" error message or data is not displayed properly in the application, such as missing graphs or blank tables.
Cause
The problem is usually caused by apps attempting to make calls to the QRadar Console API, but failing to verify your SSL certificate. If you replaced the default QRadar self-signed certificate with a certificate signed by an internal or private certificate authority (CA), you can experience issues where the application does not load or display properly. These errors are a result of the certificate chain 'Root certificate authority + intermediates' not being updated in the local certificate store.
| Appliance type | Certificates required on appliance? | Certificate requirement | Local certificate store |
|---|---|---|---|
| Console (31xx) | Yes, RootCA and any intermediate certificates. | X.509 and PEM base64 encoding | /etc/pki/ca-trust/source/anchors |
| App Host (4000) | Yes, apps migrated from the Console to an App Host require the RootCA and any intermediate certificates. | X.509 and PEM base64 encoding | /etc/pki/ca-trust/source/anchors |
Diagnosing The Problem
After you upgrade or install an IBM® application, administrators might see one of the following error messages when the SSL certificate cannot be verified:
- A certificate error is displayed in the QRadar user interface when the application loads: Cannot establish secure connection to the console. Check if your QRadar Certificates are setup properly.
- The application loads, but is missing information or dashboard widgets are not populating. The app log can identify why certificate validation failed:
HTTPSConnectionPool(host=’ qradar.example.ibm.com‘, port=443): Max retries exceeded with url: //api/ariel/ (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)",),)) - As you configure the Authorized Service token for a newly installed IBM application, the application fails to save the token. The app log file, identifies the certificate verify failed:
HTTPSConnectionPool(host=’ qradar.example.ibm.com‘, port=443): Max retries exceeded with url: //api/ariel/ (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)",),))
Resolving The Problem
The private Root CA and all intermediate certificates need to be copied to the local truststore of both the Console and App Host if the certificate is required for your applications. Certificates must be X.509 and have PEM base64 encoding. Additionally, the Root CA and the intermediate files can be combined into a single file; however, combining the files is not a requirement for the application to load or display data successfully.
Procedure
- Download the Root CA and intermediate files.
Note: Certificates can be obtained from your internal certificate authority or in some cases can be exported directly from your browser after you log in to the QRadar Console.
- Copy the files to the QRadar Console.
- Use SSH to log in to the QRadar Console's command line as the root user.
- Optional. If apps run on an App Host appliance, open an SSH session from the Console to the App Host.
- Copy the Root CA and intermediate files to the directory: /etc/pki/ca-trust/source/anchors
cp /<copy from directory> /etc/pki/ca-trust/source/anchors - Run the following command to update the truststore.
#update-ca-trust - The applications docker container must be restarted so the application can pick up the updated certificate.
systemctl restart docker - You can verify that the updated certificates are being leveraged by connecting to the app in question. To locate the application ID for your app, type:
A list of installed applications and their App-ID values are output to the screen. The App-ID is a unique numeric value. Administrators can use the numeric App-ID value to connect to the container for a specific application. If a failure is detected, remediation steps are displayed./opt/qradar/support/recon ps - To connect to the app container, type:
A shell is opened to the application's container. Administrators can browse this directory to review files, logs, or configurations for the application./opt/qradar/support/recon connect <App-ID> - After you enter the docker container, list the files in /etc/pki/ca-trust/source/anchors/ to verify the certificate exists.
ls -l /etc/pki/ca-trust/source/anchors/
What if I’m still having a problem or still seeing the same errors?
If you still see the same errors, confirm the certificate chain was copied to the local truststore. Depending on how your certificate was signed by your CA, there might be multiple intermediate certificates and not just one. All intermediate certificates must be copied over to the truststore on both the Console and the App Host in order for QRadar to be able to verify the chain.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
07 October 2021
UID
ibm16217361