Troubleshooting
Problem
QRadar user interface (UI) is inaccessible because of httpd service failure.
Cause
httpd service failure due to:
- Multiple certificates present under
/etc/httpd/conf/certsdirectory. - Multiple certificates present in
/opt/qradar/conf/ssl.cert.conffile.
Diagnosing The Problem
Multiple certificates present under /etc/httpd/conf/certs directory
If httpd service is in a failed state, search for log entries as:
less /var/log/qradar.log | grep -i “Multiple RSA server certificates not allowed”
[Mon May 26 20:58:47.461152 2023] [ssl:emerg] [pid 18470] <HOSTNAME>: Init: Multiple RSA server certificates not allowed
[Mon May 26 20:58:47.461169 2023] [ssl:emerg] [pid 18470] <HOSTNAME>: Fatal error initialising mod_ssl, exiting.
Steps to resolve issue:
- Verify whether there is only 1 .crt file present in
/etc/httpd/conf/certsdirectory:
ls -la /etc/httpd/conf/certs/
- If the directory includes more than one .crt files in certificates directory, rename or move the unused certificate files. Select one of the following:
mv /etc/httpd/conf/certs/<any_name>.crt /etc/httpd/conf/certs/<any_name>.crt_back
OR
mkdir /root/backup.certs/
mv /etc/httpd/conf/certs/<any_name>.crt /root/backup.certs/
- Restart the tomcat service:
systemctl restart tomcat
Note: Restarting Tomcat on the QRadar Console logs out users, halts event exports in progress. Also, scheduled reports wont run until the service is running. Administrators with change control might need a maintenance window before you restart Tomcat.
- Validate tomcat and httpd service status:
systemctl status tomcat
systemctl status httpd
● tomcat.service - Apache Tomcat
Loaded: loaded (/usr/lib/systemd/system/tomcat.service; disabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/tomcat.service.d
└─ulimit.conf
Active: active (running) since Fri 2023-05-26 20:57:48 IST; 4min 9s ago
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/httpd.service.d
└─qradar.conf
Active: active (running) since Fri 2023-05-26 20:57:49 IST; 4min 45s ago
- Test tomcat connection status:
/opt/qradar/bin/test_tomcat_connection.sh
Starting up...
Connected to tomcat
Note: Tomcat takes some time to start. After the command shows the status as connected, you can connect to the QRadar GUI and verify whether other functions are working as, expected. This procedure does not apply to QRadar on Cloud.
Multiple certificates present in /opt/qradar/conf/ssl.cert.conf file
If httpd service is in a failed state, search for log entries as:
less -i /var/log/httpd/error.log | grep -i "Multiple RSA server certificates not allowed"
[Fri May 26 20:36:26.799179 2023] [ssl:emerg] [pid 25186] AH02242: Init: Multiple RSA server certificates not allowed
less /var/log/httpd/error.log | grep -i "Fatal error initialising mod_ssl"
[Fri May 26 20:36:26.799211 2023] [ssl:emerg] [pid 25186] AH02312: Fatal error initialising mod_ssl, exiting.
cat /opt/qradar/conf/ssl.cert.conf | grep -i "SSLCertificate"
SSLCertificateFile /etc/httpd/conf/certs/cert.cert
SSLCertificateFile /etc/httpd/conf/certs/cert.cert
SSLCertificateKeyFile /etc/httpd/conf/certs/cert.key
SSLCertificateKeyFile /etc/httpd/conf/certs/cert.key
Steps to resolve issue:
- Create backup of
/opt/qradar/conf/ssl.cert.conf
mkdir -p /store/ibm_support/httpd_service_issue
cp -p /opt/qradar/conf/ssl.cert.conf /store/ibm_support/httpd_service_issue/
- Open a
vimeditor and removed the duplicate line forcert.certandcert.key
Before:
SSLCertificateFile /etc/httpd/conf/certs/cert.cert
SSLCertificateFile /etc/httpd/conf/certs/cert.cert
SSLCertificateKeyFile /etc/httpd/conf/certs/cert.key
SSLCertificateKeyFile /etc/httpd/conf/certs/cert.key
After:
SSLCertificateFile /etc/httpd/conf/certs/cert.cert
SSLCertificateKeyFile /etc/httpd/conf/certs/cert.key
- Restart the tomcat service:
systemctl restart tomcat
Note: Restarting Tomcat on the QRadar Console logs out users, halts event exports in progress. Also, scheduled reports wont run until the service is running. Administrators with change control might need a maintenance window before you restart Tomcat.
- Validate tomcat and httpd service status:
systemctl status tomcat
systemctl status httpd
● tomcat.service - Apache Tomcat
Loaded: loaded (/usr/lib/systemd/system/tomcat.service; disabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/tomcat.service.d
└─ulimit.conf
Active: active (running) since Fri 2023-05-26 20:57:48 IST; 4min 9s ago
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/httpd.service.d
└─qradar.conf
Active: active (running) since Fri 2023-05-26 20:57:49 IST; 4min 45s ago
- Test tomcat connection status:
/opt/qradar/bin/test_tomcat_connection.sh
Starting up...
Connected to tomcat
Note: Tomcat takes some time to start. After the command shows the status as connected, you can connect to the QRadar GUI and verify whether other functions are working as, expected. This procedure does not apply to QRadar on Cloud.
Results
After the connection test completes successfully, you can log back in to QRadar. Administrators might need to manually run reports that were scheduled to start during the tomcat outage. Users can export events, execute the searches and export the results from the user interface.
Contact Support, if in case of queries: https://www.ibm.com/mysupport
Contact Support, if in case of queries: https://www.ibm.com/mysupport
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
31 May 2023
UID
ibm16590417