IBM Support

QRadar: BigFix and QVM Integration with Domain Authentication

Troubleshooting


Problem

The Knowledge Center guide explains how to configure encryption communication between BigFix and QRadar. However, the importation of vulnerability fix status updates from BigFix into QRadar does not work.

Symptom

The error found in the /var/log/iem-cron.log file is as follows:
  

org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
        at com.sun.proxy.$Proxy30.getRelevanceResult(Unknown Source)
        at com.q1labs.qvm.iem.BigfixClient.getRelevanceResultResponse(BigfixClient.java:301)
        at com.q1labs.qvm.iem.BigfixClient.getSiteIds(BigfixClient.java:104)
        at com.q1labs.qvm.iem.BigfixClient.getFixletList(BigfixClient.java:154)
        at com.q1labs.qvm.iem.BigfixClient.getFixletList(BigfixClient.java:139)
        at com.q1labs.qvm.iem.FixletLoader.loadCurrentFixlets(FixletLoader.java:111)
        at com.q1labs.qvm.iem.FixletResultReaderApp.loadActionResults(FixletResultReaderApp.java:49)
        at com.q1labs.qvm.iem.FixletResultReaderApp.main(FixletResultReaderApp.java:69)
Caused by: java.lang.ClassNotFoundException:

Cause

This can be caused by using domain authentication in BigFix for user authentication.

Resolving The Problem

The guide describes how to configure BigFix to send encrypted data to QRadar. In step 2b of the guide, you are told to type ./iem-setup-webreports.pl and enter host name, host port, user name, and password for the BigFix server. For the username you would use domain\username, since the user account to log in to BigFix is domain authenticated.

Configuring encrypted communication between IBM BigFix and QRadar

However, the import of vulnerability fix status updates from BigFix into QRadar does not work.

The "\" character in the username must be escaped to successfully allow log in to BigFix from QRadar.


To resolve this issue.

  1. Log in to the QRadar Console by using an SSH session.
  2. If QVM is not running from the Console, connect to the Managed Host by using SSH.
  3. Change directories to /opt/qvm/iem/
    cd /opt/qvm/iem/
  4. Backup the file webreports.properties by using this command.
    cp webreports.properties webreports.properties.bak
  5. Using VI editor open webreports.properties.
    vi webreports.properties
  6. Change the webreports.username parameter
    webreports.username= domain\username
    to
    webreports.username= domain\\username
  7. Save the changes by typing
    esc :wq
  8. Change directories to /opt/qvm/adapter/config/
    cd /opt/qvm/adapter/config/
  9. Backup the file plugin-bigfix.properties by using this command.
    cp plugin-bigfix.properties plugin-bigfix.propertiess.bak
  10. Using VI editor open plugin-bigfix.properties.
    vi plugin-bigfix.properties
  11. Change the bes.rest.username parameter
    bes.rest.username= domainusername
    to
    bes.rest.username= domain\\username
  12. Save the changes by typing
    esc :wq

Results:
The vulnerability import should be successful the next time the cronjob runs the script (every 15 minutes by default).


Where do you find more information?



[{"Product":{"code":"SSHLPS","label":"IBM Security QRadar Vulnerability Manager"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Not Applicable","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2;7.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg22008488

Page Feedback