Troubleshooting
Problem
When a user logs in into a QRadar console that is set up with LDAPS based authentication, the log in fails with a generic error.
Symptom
User log-in into a QRadar® console set up with LDAPS based authentication, fails with a generic error:
‘The username and password you supplied are not valid. Please try again.’
Cause
Apart from incorrect credentials, this error could be because a certificate in the chain of trust required for the LDAPS connection, is missing. This could happen for certificates where intermediary Certificate Authorities (CA) are involved rather than just the root CA.
Diagnosing The Problem
The qradar.error log file has the following error message at the time the log-in was attempted by the user:
Feb 7 22:13:14 x.x.x.x [tomcat.tomcat] [Thread-604] com.q1labs.frameworks.crypto.trustmanager.CertificateValidator: [INFO] [NOT:0000006000][x.x.x.x/- -] [-/- -]Audit logging msg:(tomcat) Validating certficate chain failed. chain:[0]X509Certificate : { SubjectDN : CN=XXXX, OU=XXX, DC=YYY, DC=net, IssuerDN : CN=XXX-CA, DC=YYY, DC=net},[1]X509Certificate : { SubjectDN : CN=XXX-CA, DC=YYY, DC=net, IssuerDN : CN=XXX Root CA, DC=YYY, DC=net},, params:CertValidatorParameters [enableLegacySupport :true,checkPinning :false,checkRevocation :true,checkSelfsigned :true,checkUsage :true,checkCaIssuersInAuthInfoAccess :false,trustStores :/opt/qradar/conf/trusted_certificates,], exception:com.q1labs.frameworks.crypto.trustmanager.exceptions.Q1CertificateException: checkCertificatePinning failed.
Resolving The Problem
- Seek all the certificates that belong to the chain of trust for the actual certificate, from the LDAP directory server's administrator. Place all these certificates in /opt/qradar/conf/trusted_certificates/.
- If the administrator has not provided or is not aware of the correct certificate chain, you can run the following command to extract the certificate chain from the LDAP server:
cd /opt/qradar/conf/trusted_certificates/
openssl s_client -connect <LDAP server FQDN>:636 -showcerts </dev/null 2>/dev/null | openssl x509 -outform pem > ldap_server.pem
Note: Replace port 636 with 3269 (Global Catalog port) if you are connecting to the root domain of an Active Directory server (this is not applicable to other LDAP servers). Run the following command from the QRadar Console to verify if port 3269 is open:
#telnet <AD server FQDN> 3269
- Run the following command to verify the certificate:
openssl x509 -in ldap_server.pem -text -noout
Note: Typically, the fields Subject and Subject Alternative Name contain the Fully Qualified Domain Name (FQDN) of that LDAP server.
-
Attempt to test the connection again and check if it succeeds.
Document Location
Worldwide
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.3.3;7.4.0;7.4.1;7.4.2"}]
Was this topic helpful?
Document Information
Modified date:
22 February 2021
UID
ibm16413277