IBM Support

QRadar: how to verify the validity of application framework certificates and certificates considerations

Question & Answer


Question

How to verify the validity of application framework certificates?

Cause

Similar errors can be seen in the journalctl logs for conman, docker or traefik on either the console or the apphost:

Oct 18 18:20:38 conman-server[33778]: 2019/10/18 18:20:38 http: TLS handshake error from xxx.xxx.xxx.85:38612: tls: failed to verify client's certificate: x509: certificate has expired or is not yet valid

Oct 23 10:22:28 conman-server[33778]: 2019/10/23 10:22:28 http: TLS handshake error from xxx.xxx.xxx.85:46270: tls: failed to verify client's certificate: x509: certificate has expired or is not yet valid

Oct 23 10:22:33 conman-server[33778]: 2019/10/23 10:22:33 http: TLS handshake error from xxx.xxx.xxx.85:46362: tls: failed to verify client's certificate: x509: certificate has expired or is not yet valid

Answer

Verifying certificates expiry dates

To verify certificate expiry dates, use the following command on the console:

#for i in `/opt/qradar/ca/bin/si-qradarca list -print | awk -F ',' '{print $4}'`; do echo $i; openssl x509 -in $i -noout -enddate; done

notAfter=Jul  9 17:43:56 2029 GMT
notAfter=Jul 11 17:44:05 2022 GMT
notAfter=Jul 11 17:44:08 2021 GMT
notAfter=Mar 22 00:00:00 2021 GMT
notAfter=Jul 11 17:44:49 2022 GMT
notAfter=Jul 11 17:44:51 2021 GMT
notAfter=Jan  1 18:28:38 2020 GMT
notAfter=Jul 11 17:45:21 2022 GMT
notAfter=Jul 11 17:45:23 2020 GMT
notAfter=Jul 11 17:45:36 2022 GMT
notAfter=Jul 11 17:45:38 2021 GMT
notAfter=Jan  1 18:28:54 2020 GMT
notAfter=Jul 11 17:45:50 2022 GMT
notAfter=Jul 11 17:45:51 2021 GMT
notAfter=Jan  1 18:29:03 2020 GMT
notAfter=Jul 11 17:46:10 2022 GMT
notAfter=Jul 11 17:46:12 2021 GMT
notAfter=Jan  1 18:29:13 2020 GMT

Verifying certificate validity (7.5.0+)

You can verify whether all application certificates on a console are valid using the following command:

for i in $(/opt/qradar/ca/bin/si-qradarca list -print | grep -v /etc/ziptie-server/tls/certs/ziptie-server.cert | awk -F, '{print $4}' | sort | uniq); do echo $i; openssl verify -CAfile /etc/pki/tls/cert.pem $i; done

If you are running an app host in addition to your console and want to verify the certificates, use the following command:

for i in $(find /etc/conman/tls /etc/traefik/tls /etc/docker/tls /etc/httpd/conf/certs /etc/pki/ca-trust/source/anchors -type f \( -name "*.cert" -o -name "*.pem" -o -name "*.crt" ! -name si-registry_ca.crt \));do echo $i; openssl verify -CAfile /etc/pki/tls/cert.pem $i; done

A correct output should look like the following.

/etc/conman/tls/conman_ca.crt

/etc/conman/tls/conman_ca.crt: OK

/etc/conman/tls/conman.cert

/etc/conman/tls/conman.cert: OK

/etc/docker-distribution/tls/docker-distribution_ca.crt

/etc/docker-distribution/tls/docker-distribution_ca.crt: OK

/etc/docker-distribution/tls/docker-distribution.cert

/etc/docker-distribution/tls/docker-distribution.cert: OK

/etc/docker/tls/registry/docker-client-registry.cert

/etc/docker/tls/registry/docker-client-registry.cert: OK

/etc/docker/tls/si-docker_ca.crt

/etc/docker/tls/si-docker_ca.crt: OK

/etc/docker/tls/si-docker.cert

/etc/docker/tls/si-docker.cert: OK

/etc/httpd/conf/certs/cert.cert

/etc/httpd/conf/certs/cert.cert: OK

/etc/pki/ca-trust/source/anchors/intermediate-qradar-ca_ca.crt

/etc/pki/ca-trust/source/anchors/intermediate-qradar-ca_ca.crt: OK

/etc/pki/ca-trust/source/anchors/root-qradar-ca_ca.crt

/etc/pki/ca-trust/source/anchors/root-qradar-ca_ca.crt: OK

/etc/si-postfix/tls/si-postfix.cert

/etc/si-postfix/tls/si-postfix.cert: OK

/etc/tomcat/tls/conman/tomcat-client-conman.cert

/etc/tomcat/tls/conman/tomcat-client-conman.cert: OK

/etc/tomcat/tls/traefik/tomcat-client-traefik.cert

/etc/tomcat/tls/traefik/tomcat-client-traefik.cert: OK

/etc/traefik/tls/docker/traefik-client-docker.cert

/etc/traefik/tls/docker/traefik-client-docker.cert: OK

/etc/traefik/tls/traefik_ca.crt

/etc/traefik/tls/traefik_ca.crt: OK

/etc/traefik/tls/traefik.cert

/etc/traefik/tls/traefik.cert: OK

/opt/qradar/conf/SAMLAuthentication/SP/QRadarSAML_ca.crt

/opt/qradar/conf/SAMLAuthentication/SP/QRadarSAML_ca.crt: OK

/opt/qradar/conf/SAMLAuthentication/SP/QRadarSAML.crt

/opt/qradar/conf/SAMLAuthentication/SP/QRadarSAML.crt: OK

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000GnbbAAC","label":"QRadar"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
01 November 2023

UID

ibm16191091