IBM Support

QRadar: Configuring LDAP authentication with SSL option fails with a certificate pinning error

Troubleshooting


Problem

When setting up LDAP authentication using Active Directory, using the Test Connection option causes an SSL handshake exception for connections done via LDAPS.

Symptom

On the LDAP Authentication page, when using the Test Connection option for Active Directory, for connections done via LDAPS, an error message is observed regarding the SSL handshake:

image 8186

Cause

This error indicates that QRadar® is missing a certificate in the chain of trust required for the Active Directory certificate. This could happen for certificates where intermediary Certificate Authorities (CA) are involved rather than just the root CA.

Environment

Windows Active Directory Server 2012
Windows Active Directory Server 2016

Diagnosing The Problem

The following entry is seen in the qradar.error file when the Test Connection option is used:
[tomcat.tomcat] [admin@ (6154) /console/JSON-RPC/QRadar.isLDAPConnectionAvailable QRadar.isLDAPConnectionAvailable] com.q1labs.frameworks.crypto.trustmanager.CertificateValidator: [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -]checkCertificatePinning failed.

Resolving The Problem


NOTE: These steps are applicable to LDAPS based authentication for other directory servers as well.
  1. Request the Active Directory administrator for all the certificates that belong to the chain of trust for the actual certificate. Place all these certificates in /opt/qradar/conf/trusted_certificates/.
     
  2. If the Active Directory administrator has not provided or is not aware of the correct certificate chain, you can run the following command to extract the certificate chain from the Active Directory server:
     
    cd /opt/qradar/conf/trusted_certificates/
    openssl s_client -connect <AD server FQDN>:636 -showcerts </dev/null 2>/dev/null | openssl x509 -outform pem > ad_ldap_server.pem

    Note: Replace port 636 with 3269 (Global Catalog port) if you are connecting to the root domain of the Active Directory. Run the following command from the QRadar Console to verify if port 3269 is open:
     
    #telnet <AD server FQDN> 3269
  3. Run the following command to verify the certificate:
     
    openssl x509 -in ad_ldap_server.pem -text -noout
    Note: Typically, the fields Subject and Subject Alternative Name contain the Fully Qualified Domain Name (FQDN) of the Active Directory Server.
     
  4. For the user(s) that got the error message, have them clear their browser caches and attempt to log in again.
5.  If the server certificate is correct when running the openssl command, but the "Test Connection" is still failing with the same error, restart tomcat to ensure that it picks up all of the new ssl certificates.  Important: When the Tomcat service restarts, the QRadar UI is not available to all users. Administrators with strict outage policies are advised to complete the next step during a scheduled maintenance window for their organization.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.3.3;7.4.0;7.4.1;7.4.2;7.4.3;7.5.0"}]

Document Information

Modified date:
15 March 2024

UID

ibm16413273