IBM Support

QRadar: How to update an application framework certificate when system alerts about expiration

How To


Summary

This article covers how to update an application framework certificate when the GUI QRadar console alerts about soon expiration and needs to be replaced.

Steps

The following capture shows how the alert is displayed in QRadar:
image-20221026155021-2
To find the cert that is about to expire, search for "update the certificate soon" in /var/log/qradar.log. The following warning is an example of how the log looks like. Here the cert is tomcat_client_thraefik:
[WARN] [NOT:0000013102] The certificate named tomcat_client_traefik will 
expire on Tue <Time date and year>. Please update the certificate soon.
After the cert name is found, follow the next steps to update it:
  1. Run the following command to find the cert name, replace <cert_name> with the cert name:
    /opt/qradar/ca/bin/si-qradarca list -print | grep "<cert_name>"
    For this example, the cert name displayed in the alert is tomcat-client-traefik.cert, so, the command is:
    /opt/qradar/ca/bin/si-qradarca list -print | grep "tomcat-client-traefik.cert"
    The output looks like this:
    ---- 18,mutual-client,/opt/qradar/ca/conf.d/tomcat-client-traefik.json,/etc/tomcat/tls/traefik/tomcat-client-traefik.cert,13
  2. Use the ID at the beginning of the output to reset the tomcat-client-traefik certificate, in this case is 18:
    /opt/qradar/ca/bin/reset-qradar-ca.sh 18 --reset
    The command does not have any output. This behavior is expected and it means that the command worked well.
  3. Restart qradarca-monitor service, use the following command:
    systemctl restart qradarca-monitor
    After these steps, QRadar stops alerting about this cert.
Result
The alert about the cert is not displayed anymore.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
27 October 2022

UID

ibm16827607