Risk Manager troubleshooting

If you encounter an issue in IBM® Security Risk Manager, see the following information on problem resolution.

Risk Manager certificate update fails

The IBM Security Risk Manager Dashboard is not displayed after a certificate update fails.

Certificate update fails symptoms

The Risk Manager application is not available through the IBM Security QRadar Suite Software console. Risk Management components are not in a running or complete state.

The Risk Manager application pods go into Error and CrashLoopBackOff states because the app fails to retrieve the new certificate. The Risk Manager application is unable to call QRadar Suite Software services, for example, Entitlements service.

Certificate fails causes

The following problems are possible causes.
  • The truststore pod was not restarted for the certificate change to take effect.
  • The cp4s-truststore secret might not have the correct certificate.

To diagnose the problem, complete the following steps. You must have cluster admin access.

  1. Check the status of the Risk Manager pods by running the following command.

    oc get pods | grep idrm

    The output from the command might look similar to the following example.

    idrmapp-546b4d9749-hk8s8                                   1/1     Running            0          12h
idrmdashboard-7c759cd65c-kmdzg                             0/1     CrashLoopBackOff   144        12h
idrmdashboard-c579589bd-qq886                              0/1     Running            142        12h
idrmingestion-66b8cb8c9f-9cf6z                             0/1     CrashLoopBackOff   144        12h
idrmingestion-6b58c87d6f-84ctm                             0/1     CrashLoopBackOff   147        12h
idrmintex-747b98cb86-97m2k                                 0/1     CrashLoopBackOff   147        12h
idrmintex-7c68d8756b-2jml7                                 0/1     CrashLoopBackOff   149        12h
idrmrisk-1607426400-4xtfv                                  0/1     Error              0          8m29s
idrmrisk-1607426400-62hwb                                  0/1     Error              0          14m
idrmrisk-1607426400-76lfx                                  0/1     Error              0          13m

    When the pods are in error or crashloopbackoff status, check the log to find out if the certificate is invalid or expired.

  2. Check the logs of one of the Risk Manager pods by running the following command.

    Tip: You might need to use your own pod name if it differs from the name in the command.
    oc logs idrmrisk-1607426400-76lfx

    The following error message might display.

    Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Resolving the certificate fails problem

Before you begin, you must have cluster administrator access with the Kubernetes command-line interface tool to the cluster where QRadar Suite Software is installed.

If a valid certificate was uploaded and your problem is that truststore pod was not restarted, you can skip to step 5 and complete the procedure. Otherwise, create a valid self-signed certificate that points to the correct cluster domain and complete the whole procedure.

  1. Create a self-signed certificate and key.

  2. Verify that step 1 generated the following files:
    • ca.crt
    • ca.serial
    • openssl.cfg
    • tls.crt.tmp
    • tls.key
    • ca.key
    • tls.crt
    • tls.csr

  3. Install and load the cpctl tool.

  4. Upload ca.crt, tls.crt, and tls.key files to the server by using the following command.

    cpctl tools update_cert --key "$(cat tls.key)" --cert "$(cat tls.crt)" --authority "$(cat ca.crt)" --token "$(oc whoami -t)"

  5. Delete the old truststore pod by running the following command.

    oc delete pod -lname=truststore

  6. When the pod is deleted, verify that the new truststore pod is in the running state.

  7. Verify that the Risk Manager pods restart and enter Running state within 15 minutes.

    The output might look similar to the following example.

    idrmapp-865f5f6779-nz8wn                                   1/1     Running     0          17m

idrmdashboard-675fdc9447-z5nlx                             1/1     Running     0          16m

idrmingestion-fd584bbf6-75pjk                              1/1     Running     0          17m

idrmintex-749db4b789-5ghlv                                 1/1     Running     0          16m

idrmrisk-1607429400-55jgm                                  0/1     Completed   0          13m

idrmrisk-1607430000-8zc88                                  0/1     Completed   0          3m21s

idrmrisk cron job pods are in an error state

After IBM Security QRadar Suite Software is installed, idrmrisk cron job pods are in an error state until you configure the initial identity provider.

Cron job error symptoms

The pods of idrmrisk cron job are in an error state. You can see the exception in the log file.

Cron job error cause and diagnosis

The initial identity provider is not configured.

To diagnose the problem, run the following steps to check the log file. Before you begin, you must have cluster administrator access to the cluster where QRadar Suite Software is installed.

  1. Log in to the idrmrisk pod by typing the following command.

    oc logs <pod_name>

  2. Check for the following error in the log file.

    {"name":"A3Risk","level":"ERROR","time":"2022-06-16 16:00:54,255",
"log":"A3SystemJwtUtils:284 - Exception: java.net.NoRouteToHostException: No route to host (Host unreachable)

Resolving the cron job error problem

Before you begin, you must have cluster administrator access to the cluster where QRadar Suite Software is installed.

Configure your initial identify provider. When the Entitlements service restarts automatically and is running, the idrmrisk pods are in the completed state.

If the Entitlements service does not restart automatically after you configure your identify provider, restart the service. For more information, see 500 error when you log in.