Troubleshooting
Problem
When trying to download a certificate to QRadar from SaleForce, if the wrong certificate identifier is used then the download fails.
Diagnosing The Problem
Look for messages in /var/log/qradar.error similar to:
Jun 5 15:07:17 ::ffff:x.x.x.x [ecs-ec.ecs-ec] [Thread-139] com.q1labs.frameworks.crypto.Q1X509TrustManager: [WARN] [NOT:0000004000][x.x.x.x/- -] [-/- -]Rejecting SSL/TLS connection because server presented unrecognized certificate. The chain sent by the server is:
Jun 5 15:07:17 ::ffff:x.x.x.x [ecs-ec.ecs-ec] [Thread-139] com.q1labs.frameworks.crypto.Q1X509TrustManager: [WARN] [NOT:0000004000][x.x.x.x/- -] [-/- -] Subject = CN=login.salesforce.com, OU=InfraSec, O="salesforce.com, inc.", L=San Francisco, ST=California, C=US
Jun 5 15:07:17 ::ffff:x.x.x.x [ecs-ec.ecs-ec] [Thread-139] com.q1labs.frameworks.crypto.Q1X509TrustManager: [WARN] [NOT:0000004000][x.x.x.x/- -] [-/- -] Subject = CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
Jun 5 15:07:17 ::ffff:x.x.x.x [ecs-ec.ecs-ec] [Thread-139] com.q1labs.frameworks.crypto.Q1X509TrustManager: [WARN] [NOT:0000004000][x.x.x.x/- -] [-/- -]The current certificate allowlist is:
Jun 5 15:07:17 ::ffff:x.x.x.x [ecs-ec.ecs-ec] [Thread-139] com.q1labs.frameworks.crypto.Q1X509TrustManager: [WARN] [NOT:0000004000][x.x.x.x/- -] [-/- -] Subject = CN=*.salesforce.com, OU=InfraSec, O="salesforce.com, inc.", L=San Francisco, ST=California, C=US
Jun 5 15:07:17 ::ffff:x.x.x.x [ecs-ec.ecs-ec] [Thread-139] com.q1labs.frameworks.crypto.Q1X509TrustManager: [WARN] [NOT:0000004000][x.x.x.x/- -] [-/- -]To establish trust in this server certificate, place a copy in /opt/qradar/conf/trusted_certificates
Resolving The Problem
To Download the SalesForce certificate
- Request an Access token. The token should have a instance_url that you use with the certificate pull.
{"id":"https://login.salesforce.com/id/00Dx0000000BV7z/005x00000012Q9P", "issued_at":"1278448832702","instance_url":"https://yourInstance.salesforce.com/", "signature":"0CmxinZir53Yex7nE0TD+zMpvIWYGb/bdJh6XfOH6EQ=","access_token": "00Dx0000000BV7z!AR8AQAxo9UfVkh8AlV0Gomt9Czx9LjHnSSpwBMmbRcgKFmxOtvxjTrKW1 9ye6PE3Ds1eQz3z8jr3W7_VbWmEu4Q8TVGSTHxs","token_type":"Bearer"}
Refer to this SalesForce article on requesting an Access token
Username-Password Flow -
Using an SSH session login to the QRadar Console as root user.
-
If the certificate is to be installed on a managed host, use an SSH session to connect to that appliance.
-
Change directories to /opt/qradar/conf/trusted_certificates.
cd /opt/qradar/conf/trusted_certificates
-
Install the certificate by typing the command.
/opt/qradar/bin/getcert.sh yourInstance.salesforce.com
Note: Using the command /opt/qradar/bin/getcert.sh *.salesforce.com will result in the certificate failing to download.
Was this topic helpful?
Document Information
Modified date:
22 February 2021
UID
ibm10733074