Troubleshooting
Problem
This technical note provides further information and a workaround for administrators with communication issues between encrypted QRadar® appliances and WinCollect 7.3.0 agents as described in APAR IJ26949.
Symptom
Recently updated WinCollect 7.3.0 (V7.3.0-24) agents cannot communicate or register to the QRadar appliance when the host is encrypted in the deployment. When this issue occurs, WinCollect agents cannot register or receive log source updates due to the communication issue between the agent and the QRadar® appliance.
Environment
WinCollect 7.3.0 agents.
Diagnosing The Problem
When a WinCollect 7.3.0 agent cannot communicate to the QRadar appliance after an upgrade, the workaround depends on the error messages displayed by the WinCollect agent in WinCollect.log or by the QRadar appliance managing the WinCollect agents in /var/log/qradar.error. Administrators must select the workaround associated the error messages displayed in the logs.
1. Agent generates 'unable to find certificate path' or 'no subject alternative names matching IP address' errors
If the agent believes the certificate is incorrect or cannot find the path, the configuration server protocol on the QRadar appliance writes an error message to /var/log/qradar.error of the appliance managing the remote WinCollect V7.3.0 agents. These errors indicate that the administrator needs to update a file on the QRadar Console to enable legacy support for the WinCollect Configuration Server protocol. Legacy support mode allows the protocol to use localhost tunnels to communicate to the encrypted QRadar appliance.
1. Agent generates 'unable to find certificate path' or 'no subject alternative names matching IP address' errors
If the agent believes the certificate is incorrect or cannot find the path, the configuration server protocol on the QRadar appliance writes an error message to /var/log/qradar.error of the appliance managing the remote WinCollect V7.3.0 agents. These errors indicate that the administrator needs to update a file on the QRadar Console to enable legacy support for the WinCollect Configuration Server protocol. Legacy support mode allows the protocol to use localhost tunnels to communicate to the encrypted QRadar appliance.
Administrators can review the QRadar appliance logs to determine whether the WinCollectConfigHandler displays an error message in /var/log/qradar.error. This error message is generated on the appliance managing the WinCollect agent to indicate that the localhost address is not in the certificate and a legacy mode update is required:
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] com.q1labs.frameworks.crypto.trustmanager.extended.Q1X509FullTrustManager:[ERROR] [X.X.X.X/- -] [-/- -] Server Not Trusted No subject alternative names matching IP address[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: java.security.cert.CertificateException: No subject alternative names matching IP address 127.0.0.1 found2. Agent generates 'Register with configuration server failed' errors
If the WinCollect agent locates the certificate, but cannot register to the QRadar appliance, the WinCollect service writes debug messages to C:\Program Files\IBM\WinCollect\logs\WinCollect.log. This error indicates that the IP of the QRadar appliance cannot be determined to register the agent and a workaround can be applied in the WinCollectConfigServer.vm file to resolve this issue.
Administrators can log in to the Windows host to review for the following error:
Administrators can log in to the Windows host to review for the following error:
DEBUG SRV.Code.SSLConfigServerAPIClient.v2.XXXX : Received connection establishment response (result code 2147483649, wire versions 2.0)
DEBUG SRV.Code.ConfigServerConnection.SSL.X.X.X.X : BeginUpdateTransaction: failed -- An error was reported on server. Check the server's log files for details.
DEBUG SRV.System.WinCollectSvc.Service : Register with configuration server failed -- An error was reported on server. Check the server's log files for details. -- will try again laterResolving The Problem
The workaround to APAR IJ26949 depends on the error messages displayed to the user in the logs. Administrators can engage QRadar Support to determine the error message displayed in the logs. The WinCollect-WA-APAR-IJ26949 utility allows support representatives or administrators apply a workaround to assist with APAR IJ26949 and update the WinCollectConfigServer.vm file settings on the QRadar Console to resolve encrypted host settings or experience certificate issue error messages.
What to do
What to do
- Open a case with QRadar Support.
- Include the logs from your QRadar Console appliance.
- Include the WinCollect.log from one or more WinCollect agents experiencing issues after upgrading to WinCollect 7.3.0.
Note: Logs are not required for all agents, but a sample from one or more agents with a communication issue can help determine the issue.
Results
A QRadar Support representative will contact you with more information about your case or schedule a WebEx to review your issues.
Document Location
Worldwide
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
17 November 2020
UID
ibm16325963