Troubleshooting
Problem
When setting up LDAP authentication using Active Directory, using the Test Connection option causes an SSL handshake exception for connections done via LDAPS.
Symptom
On the LDAP Authentication page, when using the Test Connection option for Active Directory, for connections done via LDAPS, an error message is observed regarding the SSL handshake:
Cause
This error indicates that QRadar® is missing a certificate in the chain of trust required for the Active Directory certificate. This could happen for certificates where intermediary Certificate Authorities (CA) are involved rather than just the root CA.
Environment
Windows Active Directory Server 2012
Windows Active Directory Server 2016
Diagnosing The Problem
The following entry is seen in the qradar.error file when the Test Connection option is used:
[tomcat.tomcat] [admin@ (6154) /console/JSON-RPC/QRadar.isLDAPConnectionAvailable QRadar.isLDAPConnectionAvailable] com.q1labs.frameworks.crypto.trustmanager.CertificateValidator: [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -]checkCertificatePinning failed.
Resolving The Problem
NOTE: These steps are applicable to LDAPS based authentication for other directory servers as well.
- Request the Active Directory administrator for all the certificates that belong to the chain of trust for the actual certificate. Place all these certificates in /opt/qradar/conf/trusted_certificates/.
- If the Active Directory administrator has not provided or is not aware of the correct certificate chain, you can run the following command to extract the certificate chain from the Active Directory server:
cd /opt/qradar/conf/trusted_certificates/
openssl s_client -connect <AD server FQDN>:636 -showcerts </dev/null 2>/dev/null | openssl x509 -outform pem > ad_ldap_server.pem
Note: Replace port 636 with 3269 (Global Catalog port) if you are connecting to the root domain of the Active Directory. Run the following command from the QRadar Console to verify if port 3269 is open:
#telnet <AD server FQDN> 3269
- Run the following command to verify the certificate:
openssl x509 -in ad_ldap_server.pem -text -noout
Note: Typically, the fields Subject and Subject Alternative Name contain the Fully Qualified Domain Name (FQDN) of the Active Directory Server.
-
For the user(s) that got the error message, have them clear their browser caches and attempt to log in again.
5. If the server certificate is correct when running the openssl command, but the "Test Connection" is still failing with the same error, restart tomcat to ensure that it picks up all of the new ssl certificates. Important: When the Tomcat service restarts, the QRadar UI is not available to all users. Administrators with strict outage policies are advised to complete the next step during a scheduled maintenance window for their organization.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.3.3;7.4.0;7.4.1;7.4.2;7.4.3;7.5.0"}]
Was this topic helpful?
Document Information
Modified date:
15 March 2024
UID
ibm16413273