IBM Support

QRadar: LDAPS based log-in fails with a generic error

Troubleshooting


Problem

When a user logs in into a QRadar console that is set up with LDAPS based authentication, the log in fails with a generic error.

Symptom

User log-in into a QRadar® console set up with LDAPS based authentication, fails with a generic error:
The username and password you supplied are not valid. Please try again.

Cause

Apart from incorrect credentials, this error could be because a certificate in the chain of trust required for the LDAPS connection, is missing. This could happen for certificates where intermediary Certificate Authorities (CA) are involved rather than just the root CA.

Diagnosing The Problem

The qradar.error log file has the following error message at the time the log-in was attempted by the user:
Feb  7 22:13:14 x.x.x.x [tomcat.tomcat] [Thread-604] com.q1labs.frameworks.crypto.trustmanager.CertificateValidator: [INFO] [NOT:0000006000][x.x.x.x/- -] [-/- -]Audit logging msg:(tomcat) Validating certficate chain failed. chain:[0]X509Certificate : { SubjectDN : CN=XXXX, OU=XXX, DC=YYY, DC=net, IssuerDN : CN=XXX-CA, DC=YYY, DC=net},[1]X509Certificate : { SubjectDN : CN=XXX-CA, DC=YYY, DC=net, IssuerDN : CN=XXX Root CA, DC=YYY, DC=net},, params:CertValidatorParameters [enableLegacySupport :true,checkPinning :false,checkRevocation :true,checkSelfsigned :true,checkUsage :true,checkCaIssuersInAuthInfoAccess :false,trustStores :/opt/qradar/conf/trusted_certificates,], exception:com.q1labs.frameworks.crypto.trustmanager.exceptions.Q1CertificateException: checkCertificatePinning failed.

Resolving The Problem

  1. Seek all the certificates that belong to the chain of trust for the actual certificate, from the LDAP directory server's administrator. Place all these certificates in /opt/qradar/conf/trusted_certificates/.
     
  2. If the administrator has not provided or is not aware of the correct certificate chain, you can run the following command to extract the certificate chain from the LDAP server:
      
    cd /opt/qradar/conf/trusted_certificates/
    openssl s_client -connect <LDAP server FQDN>:636 -showcerts </dev/null 2>/dev/null | openssl x509 -outform pem > ldap_server.pem

    Note: Replace port 636 with 3269 (Global Catalog port) if you are connecting to the root domain of an Active Directory server (this is not applicable to other LDAP servers). Run the following command from the QRadar Console to verify if port 3269 is open:
     
    #telnet <AD server FQDN> 3269
  3. Run the following command to verify the certificate:
      
    openssl x509 -in ldap_server.pem -text -noout

    Note: Typically, the fields Subject and Subject Alternative Name contain the Fully Qualified Domain Name (FQDN) of that LDAP server.
     
  4. Attempt to test the connection again and check if it succeeds.


     

Document Location

Worldwide

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.3.3;7.4.0;7.4.1;7.4.2"}]

Document Information

Modified date:
22 February 2021

UID

ibm16413277

Page Feedback