There are a number of issues caused by incorrect certificates downloading third-party scan results. The most common faults are listed, how to investigate and correct the certificate issues.
- Initialization error: Could not initialize scanner
- IOException caught while executing API call; Error message [Certificate for <...> doesn't match any of the subject alternative names: [_servername_]]
- com.q1labs.frameworks.crypto.trustmanager.exceptions.Q1CertificateException: checkCertificatePinning failed
- Initialization error: Could not initialize scanner 'InsightVM_LAB_API': SSL Certificate Error: ensure the certificate for [*.*.*.*:3780] has been added to the Trusted Certificates directory
- Unable to load X.509 certificate from file /opt/qradar/conf/trusted_certificates/expose_443.crt
- Wrote file [/opt/qradar/conf/trusted_certificates/_servername__443.crt] but size was 0 bytes
Diagnosing The Problem
Use SSH to log in to the QRadar appliance that hosts the scanner as the root user.
Note: If your scanner is not hosted on the Console, administrators must open an SSH session to the Console before you can open a SSH session to another managed host. Direct SSH connections to managed hosts are blocked by default by iptables rules on QRadar appliances.
Search the /var/log/qradar.log file for events of type "vis". - #cat /var/log/qradar.log | grep -i vis
Check for errors that are listed in the examples.
Log in to the QRadar Console as an administrator.
On the Admin tab, Vulnerability Section, Open "Schedule VA Scanners".
The error message is located in the "Status" Column.
Resolving The Problem
- Log in to the QRadar Console.
- Click the Admin tab.
- Click the Vulnerability Scanners icon.
- Review the Hosts column to confirm the QRadar appliance that has certificates.
- Use SSH to log in to the QRadar Console as the root user.
- Open an SSH session to the QRadar appliance identified in the Host column.
- Confirm if the following issues need correction:
- Confirm the host has one certificate per configured scanner in the /opt/qradar/conf/trusted_certificates directory. If there are multiple certificates for a single scanner, remote duplicate or unwanted certificates.
- Verify the scanner identified in the Name column in the user interface matches the certificate located in /opt/qradar/conf/trusted_certificates. If the names are not identical, rename the cert to match the name in the user interface, if required.
- Check that the certificate is not expired with the following command:
openssl x509 -in Example_scanner.crt -text -noout
- Verify that the certificate is not zero bytes in size in the /opt/qradar/conf/trusted_certificates directory. If the file is zero (0) bytes, retrieve a new certificate from the scanner or use the getcert.sh utility to retrieve a certificate from your remote scanner. For more information about supported scanners, see QRadar supported vulnerability scanners.
- Confirm the status of the VIS service on the host appliance. VIS is responsible for managing configured scanners and downloading data when scheduled scans start. If the VIS service is not running or corrupted, type the following command to attempt to restart the service:
systemctl restart vis
The third-party scans are expected to communicate with the providers address. If you continue to experience issues with certificates, service issues, or scans not starting as expected, contact QRadar Support for assistance.
Was this topic helpful?
01 July 2022