QRadar: Downloading a SalesForce Certificate to QRadar

Troubleshooting

Problem

When trying to download a certificate to QRadar from SaleForce, if the wrong certificate identifier is used then the download fails.

Diagnosing The Problem

Look for messages in /var/log/qradar.error similar to:

Jun 5 15:07:17 ::ffff:x.x.x.x [ecs-ec.ecs-ec] [Thread-139] com.q1labs.frameworks.crypto.Q1X509TrustManager: [WARN] [NOT:0000004000][x.x.x.x/- -] [-/- -]Rejecting SSL/TLS connection because server presented unrecognized certificate. The chain sent by the server is:
Jun 5 15:07:17 ::ffff:x.x.x.x [ecs-ec.ecs-ec] [Thread-139] com.q1labs.frameworks.crypto.Q1X509TrustManager: [WARN] [NOT:0000004000][x.x.x.x/- -] [-/- -] Subject = CN=login.salesforce.com, OU=InfraSec, O="salesforce.com, inc.", L=San Francisco, ST=California, C=US
Jun 5 15:07:17 ::ffff:x.x.x.x [ecs-ec.ecs-ec] [Thread-139] com.q1labs.frameworks.crypto.Q1X509TrustManager: [WARN] [NOT:0000004000][x.x.x.x/- -] [-/- -] Subject = CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
Jun 5 15:07:17 ::ffff:x.x.x.x [ecs-ec.ecs-ec] [Thread-139] com.q1labs.frameworks.crypto.Q1X509TrustManager: [WARN] [NOT:0000004000][x.x.x.x/- -] [-/- -]The current certificate allowlist is:

Jun 5 15:07:17 ::ffff:x.x.x.x [ecs-ec.ecs-ec] [Thread-139] com.q1labs.frameworks.crypto.Q1X509TrustManager: [WARN] [NOT:0000004000][x.x.x.x/- -] [-/- -] Subject = CN=*.salesforce.com, OU=InfraSec, O="salesforce.com, inc.", L=San Francisco, ST=California, C=US
Jun 5 15:07:17 ::ffff:x.x.x.x [ecs-ec.ecs-ec] [Thread-139] com.q1labs.frameworks.crypto.Q1X509TrustManager: [WARN] [NOT:0000004000][x.x.x.x/- -] [-/- -]To establish trust in this server certificate, place a copy in /opt/qradar/conf/trusted_certificates

Resolving The Problem

To Download the SalesForce certificate

Request an Access token. The token should have a instance_url that you use with the certificate pull.

`{"id":"https://login.salesforce.com/id/00Dx0000000BV7z/005x00000012Q9P", "issued_at":"1278448832702","instance_url":"https://yourInstance.salesforce.com/", "signature":"0CmxinZir53Yex7nE0TD+zMpvIWYGb/bdJh6XfOH6EQ=","access_token": "00Dx0000000BV7z!AR8AQAxo9UfVkh8AlV0Gomt9Czx9LjHnSSpwBMmbRcgKFmxOtvxjTrKW1 9ye6PE3Ds1eQz3z8jr3W7_VbWmEu4Q8TVGSTHxs","token_type":"Bearer"}`

  {"id":"https://login.salesforce.com/id/00Dx0000000BV7z/005x00000012Q9P",  "issued_at":"1278448832702","instance_url":"https://yourInstance.salesforce.com/",  "signature":"0CmxinZir53Yex7nE0TD+zMpvIWYGb/bdJh6XfOH6EQ=","access_token":  "00Dx0000000BV7z!AR8AQAxo9UfVkh8AlV0Gomt9Czx9LjHnSSpwBMmbRcgKFmxOtvxjTrKW1  9ye6PE3Ds1eQz3z8jr3W7_VbWmEu4Q8TVGSTHxs","token_type":"Bearer"}

Refer to this SalesForce article on requesting an Access token
Username-Password Flow

Using an SSH session login to the QRadar Console as root user.
If the certificate is to be installed on a managed host, use an SSH session to connect to that appliance.
Change directories to /opt/qradar/conf/trusted_certificates.
cd /opt/qradar/conf/trusted_certificates
Install the certificate by typing the command.
/opt/qradar/bin/getcert.sh yourInstance.salesforce.com
Note: Using the command /opt/qradar/bin/getcert.sh *.salesforce.com will result in the certificate failing to download.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"DSM","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Tips

QRadar: Downloading a SalesForce Certificate to QRadar

Troubleshooting

Problem

Diagnosing The Problem

Resolving The Problem

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?