Troubleshooting App Host problems

Refer to the following topics if you have a problem with the App Host .

Depending on the error or problem, you can use various tools and methods to check the apps and App Hosts, as described in the following sections.

Checking the Kubernetes container

Verify that the Kubernetes container is running or complete.

To verify that the Kubernetes container is running or complete, run the following command on the App Host system.
sudo kubectl get pods -n kube-system

If not running or complete, the proxy settings for the k3s might not be configured. Make sure that the firewall commands are properly configured. For the instructions to set up the firewall rule, see the installation procedure in Changed in 51.0.0.0 Installing the App Host stand-alone software.

For the instructions to configure k3s in a proxy environment, see Configuring proxy authentication.

You can also use the kubectl describe command to view information about a pod that failed to run, especially in the "Events" section.
sudo kubectl describe pod/<name> -n <namespace>
For example,
sudo kubectl describe pod/coredns-68ff754cd5-lr5xm -n kube-system

Checking the App Host and containers

Verify that the App Host containers are running correctly.

To verify that the App Host containers are running correctly, run the following command on the App Host system.
sudo kubectl get pods -A -l app.kubernetes.io/name=controller

Make sure that the NAME column in the middle has an entry for deployment-operator-<unique id> and an entry for deployment-synchronizer-<unique id>. Ensure that the Status is Running.

If the containers are not running, use the kubectl describe command to determine the cause of the issue, paying particular attention to the Events section. 
sudo kubectl describe pod/<name> -n <namespace>
The App Hosts have runtime status probes available. When a problem occurs inside the containers, the cluster tries to resolve the problem by restarting the containers. You can check the container restart counter by listing the pods.
sudo kubectl get pods -n <apphost namespace>
If the RESTARTS counter keeps increasing, use the following command to trigger a self-check on each App Host, and collect the logs by using kubectl.
sudo manageAppHost checkconnection [--controller-id <apphost namespace>]

The tool also lists all of the detected App Hosts.

App is stuck 'Deploying...' or in an Error state

Check containers if the app does not complete its deployment.

You might have a container problem if you see the following error message.
App is stuck 'Deploying...'
Check that the container for the app was successfully deployed and is running.
sudo kubectl get pods -A -l apps.isc.ibm.com/app-type=app -L app.kubernetes.io/instance
If the container is not running or in error, use the kubectl describe command to try to diagnose the issue. 
sudo kubectl describe pod/<name> -n <namespace>

Verify that the App Host is accessing the correct repository. Look at the "Image:" entry under "Containers". It is the fully qualified image name and can help determine whether the images are being pulled from the wrong place. Events at the end also reveal information.

If the App pods are running, check the App Host logic containers. You can access the log information.
sudo kubectl logs deployments/deployment-synchronizer –n <namespace leftcolumn> &&
sudo kubectl logs deployments/deployment-operator –n <namespace leftcolumn>
If the App Host container logs indicate a connection issue, it might be one of the following problems:
  • Proxy issue. Follow the instructions in Configuring proxy authentication, starting at step 4.
  • DNS issue. Containers that are started in k3s do not inherit the network aliases from /etc/hosts on the App Host system. DNS can be configured by using the manageAppHost dns command. See Create the App Hosts for details.
  • Certificate changed. Use the manageAppHost certificate command to download again the SOAR server certificate.

Check the locally hosted or private repository to show the available images. Verify that the app is in the repository. The app image name is the same name that is listed next to Executables in the Install App Wizard.

SSL: CERTIFICATE_VERIFY_FAILED error for an app

If you see a CERTIFICATE_VERIFY_FAILED error for an app, you can set the verify option in the app.config file to configure the default SSL verification for the app.

Symptoms

You see a CERTIFICATE_VERIFY_FAILED error for an app.

Diagnosing the problem

You see an error similar to the following:
------------------------ Running selftest for: 'fn-cisco-wsa' ------------------------ fn-cisco-wsa: 
Checking Cisco WSA connectivity and credentials...! HTTPSConnectionPool(host='10.10.10.10', port=6443): Max retries exceeded with url: 
/wsa/api/v3.0/generic_resources/auth_settings (Caused by SSLError(SSLCertVerificationError(1, '[SSL: 
CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)'))) 
IntegrationError("HTTPSConnectionPool(host='10.10.10.10', port=443): Max retries exceeded with url: 
/wsa/api/v3.0/generic_resources/auth_settings (Caused by SSLError(SSLCertVerificationError(1, '[SSL: 
CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)')))") selftest: failure 
selftest output: {'state': 'failure', 'reason': 'IntegrationError("HTTPSConnectionPool(host=\'10.10.10.10\', port=443): 
Max retries exceeded with url: /wsa/api/v3.0/generic_resources/auth_settings (Caused by 
SSLError(SSLCertVerificationError(1, \'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed 
certificate (_ssl.c:1129)\')))")'} Elapsed time: 0.022000 seconds ERROR: running selftest for App. Error Code: 1

Resolving the problem

Set the verify option in the app's app.config file to configure the default SSL verification for the app. For more information, see Advanced configuration settings.

App does not work after its rules start

The workflow, function, or other customization is not working, but the App container is deployed and the app is running.

Start by testing the app configuration from the SOAR Platform. Some configuration issues can be discovered by using the app's built-in test feature.
  1. Select the app then click the Configuration tab.
  2. Select the app.config file from App Settings.
  3. Scroll to the end and choose Test Configuration.

    The self-test is individualized for each app.

If you did not find the problem, review the app logs as described in Checking the logs.

You can look up the <app deployment> deployment name with the following command.
sudo kubectl get pods -A -l apps.isc.ibm.com/app-type=app -L app.kubernetes.io/instance
If you see the following error, the cert.cer configuration file needs to be the complete certificate chain. When you install an app, the system tries to generate the full chain and upload it. If the cert.cer was modified, restart the app. You can also try setting cafile=false in app.config just as a point of debugging. Modifying app.config and saving it automatically restarts the pod.
Unable to lock /opt/app-root/src/.resilient/resilient_circuits_lockfile: HTTPSConnectionPool(host='example.net', port=443): Max retries exceeded with url: /rest/session (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)'),))
For local or test systems, you might see the following error.
HTTPSConnectionPool(host='192.168.1.50', port=443): Max retries exceeded with url: /rest/session (Caused by SSLError(CertificateError("hostname '192.168.1.50' doesn't match 'resilient.localdomain'",),))

It happens when the hostname (listed in app.config) does not match the subject name of the certificate. By default, SOAR has a certificate with the subject name of "resilient.localdomain".

To resolve the problem, either fix the name mismatch, or change the cafile value to "false" in the app.config configuration file.

Other connection errors can also exist if proxies are needed. Not all apps support proxy settings. Refer to the app documentation. Contact the app developer group if you have a question on whether the proxy is supported for the app.

Check for errors in the App Manager log. The AppManager is on the SOAR platform. The resilient-app-manager.log can be found in /var/log/resilient-app-manager.
com.ibm.security.apps.manager.client.ManagerClientException: javax.ws.rs.ForbiddenException: HTTP 403 Forbidden
  • Check that the App Host and SOAR clocks are not skewed.
  • Check whether the pairing key was regenerated on the SOAR platform.

The problem can be corrected by re-pairing the App Host and SOAR by using the new pairing information when you click Regenerate. You need to re-create the instance as described in Create the App Hosts.

Checking connection errors

Proxy, firewall, and network settings that are not configured correctly can cause connection errors.

If you are using the standalone version, connection errors can occur if the firewall is not configured properly. Make sure that the firewall is configured properly as described by the procedure in Changed in 51.0.0.0 Installing the App Host stand-alone software.

Refer to the instructions in Configuring proxy authentication. Because not all apps support proxy settings, refer to the app documentation to determine whether the proxy is supported for the app.

If proxy and firewall are configured properly but you still have connection issues, have your networking team make sure that the network is configured properly.

You can use the manageAppHost checkconnection command to test the connection of the paired App Host, as shown in the following example:
[root@apphost ~]# manageAppHost checkconnection
INFO: Checking cluster API connectivity
Select the app host to test:
  [0] All
  [1] 834c437a-20e9-4c96-9c03-c81011035bc9    apphost1          v1.11.1.483
  [2] 87e510ed-dc7b-44d1-bab7-aa1ac91d09d9    apphost2          v1.12.1.530
Choose the app host ID from the list above (0-2):
2
INFO: Using app host 87e510ed-dc7b-44d1-bab7-aa1ac91d09d9 (apphost2)
INFO: Checking app host 87e510ed-dc7b-44d1-bab7-aa1ac91d09d9 (apphost2, version 1.12.1.530)
INFO: Checking controller deployment
INFO: Checking controller functionality
INFO: Checking app deployments
INFO: End of app host check for 87e510ed-dc7b-44d1-bab7-aa1ac91d09d9

>>> App host 87e510ed-dc7b-44d1-bab7-aa1ac91d09d9 (apphost2, version 1.12.1.530) <<<
No problem found.

Connection error when certificate is refreshed

If the web server certificate changes, the App Host might encounter SSL issue when connecting to the cluster.

Symptoms

You see an SSL connection issue when connecting to the cluster.

Diagnosing the problem

If you run the manageAppHost checkconnection command, you see the following error if the web server certificate changes and the App Host encounters an SSL connection error:

>>> App host 2e8917d5-bf19-416b-917c-23cd1b778a02 (test, version 1.12.1.530) <<<
- [error] Component synchronizer is not ready
- [error] App host 2e8917d5-bf19-416b-917c-23cd1b778a02 (test2) network error: [Failed SSL handshake to AppManager] java.security.cert.CertificateException: Certificate CN=*.ite1.isc.ibmcloudsecurity.com, O=International Business Machines Corporation, L=Armonk, ST=New York, C=US does not match the specified manager certificate

Resolving the problem

Run the manageAppHost certificate command so that the App Host retrieves and updates the new certificate:
# manageAppHost certificate
INFO: Configuring certificate
INFO: Using app host 327b6526-462c-4eff-ad77-2513fb19230d (test123)
INFO: Configuring certificate for App Host test123
INFO: Certificate configuration succeeded

If the new server certificate cannot be validated, you are prompted to explicitly trust the certificate.

App Host does not upgrade

After an upgrade, the version number remains the same.

After you upgrade the App Host software, check the version number.
manageAppHost --version
If the version number did not change, check that the deployment-synchronizer and deployment-operator are running.
sudo kubeclt get pods -n <namespace>
If the deployment-synchronizer is running, check the synchronizer logs.
kubectl logs pod/deployment-synchronizer-<uniqueid> -n <namepsace>

App Host version is unknown

On the Apps tab, the App Host version appears as Unknown.

When this problem occurs, you might not be able to select the App Host when you install an app.

To resolve this issue, follow these steps:
  1. On the App Host, type this command to restart it. 
    sudo restartAppHost

    When multiple App Hosts are detected, the system prompts you to select which one you want to restart.

  2. Wait for the App Host container to restart.

    To verify that the App Host containers are running correctly, see Checking the App Host and containers.

Unable to select the App Host when you install an app

When installing an app, the App Host does not appear in the App Host list.

When this problem occurs, on the Apps tab, the App Host version might appear as Unknown.

To resolve this issue, follow these steps:
  1. On the App Host, type this command to restart it. 
    sudo restartAppHost

    When multiple App Hosts are detected, the system prompts you to select which one you want to restart.

  2. Wait for the App Host container to restart.

    To verify that the App Host containers are running correctly, see Checking the App Host and containers.

Checking the logs

You can check the App Host logs from the SOAR Apps tab.
  1. Click Download Logs from the app's Details page.

    The log is the Resilient® Circuits log. It provides the status of the app within the App Host container (shown as the Pod status), and the name of the app repository (shown as image=<name>).

  2. Look for errors where Resilient Circuits tries to contact the outside world and Kubernetes networking issues are blocking it.
  3. If you see no obvious errors, check the permissions and settings for the app's API key account.
You can also access the log from the App Host system by using the following command.
sudo kubectl logs deployment/<app deployment> -n <namespace>

For more information, see Apps and App Host logs.