IBM Support

SOAR: "Bad Gateway" error using QRadar plug-in

Troubleshooting


Problem

Unable to verify and configure Security Orchestration, Automation, and Response (SOAR) plug-in for QRadar and Cloud Pak for Security (CP4S), receive error:
"Bad Gateway".

Symptom

  1. Configure IBM SOAR QRadar plug-in.
  2. Select Verify and configure.
  3. "Bad Gateway" is returned:
    image-20230201121328-1

Cause

  • The error is caused by using the wrong API key ID or secret. 
  • Using "Copy to Clipboard" and pasting the clipboard into the field "API Key Secret" causes this problem. The contents of the clipboard contains not only the API Key Secret but also the API Key ID as well as a description of each value separated by a forward slash.

Diagnosing The Problem

The app.log inside the plug-in's container shows the following output. There are no errors but the contents of the log file are incomplete.
[Thread-318] [INFO] [APP_ID:2706] [NOT:0000006000] endpoint is config.admin_screen
[Thread-318] [INFO] [APP_ID:2706] [NOT:0000006000] admin_screen
[Thread-318] [INFO] [APP_ID:2706] [NOT:0000006000] Test SOAR Config
[Thread-318] [INFO] [APP_ID:2706] [NOT:0000006000] Token Test Returned: <Response [200]>
[Thread-318] [INFO] [APP_ID:2706] [NOT:0000006000] Checking if host is in CP4S
A successful "Verify and Configure" writes the following to the app.log. This text is taken from a plug-in connecting to a non-MSSP instance of SOAR.
[Thread-319] [INFO] [APP_ID:2706] [NOT:0000006000] endpoint is config.admin_screen
[Thread-319] [INFO] [APP_ID:2706] [NOT:0000006000] admin_screen
[Thread-319] [INFO] [APP_ID:2706] [NOT:0000006000] Closing reasons missing from QRadar: []
[Thread-321] [INFO] [APP_ID:2706] [NOT:0000006000] endpoint is config.admin_screen
[Thread-321] [INFO] [APP_ID:2706] [NOT:0000006000] admin_screen
[Thread-321] [INFO] [APP_ID:2706] [NOT:0000006000] Test SOAR Config
[Thread-321] [INFO] [APP_ID:2706] [NOT:0000006000] Token Test Returned: <Response [200]>
[Thread-321] [INFO] [APP_ID:2706] [NOT:0000006000] Checking if host is in CP4S
[Thread-321] [INFO] [APP_ID:2706] [NOT:0000006000] Checking access to the following orgs: ['id=***, name=***, type=standard, parent_org_id=None, cloud_account_id=None']
[Thread-321] [INFO] [APP_ID:2706] [NOT:0000006000] check_actions_enabled: True
[Thread-321] [INFO] [APP_ID:2706] [NOT:0000006000] Checking that SOAR is configured properly...
[Thread-321] [INFO] [APP_ID:2706] [NOT:0000006000] Check that SOAR destinations configured
[Thread-321] [INFO] [APP_ID:2706] [NOT:0000006000] Check that SOAR action fields configured
[Thread-321] [INFO] [APP_ID:2706] [NOT:0000006000] Check that SOAR actions configured
[Thread-321] [INFO] [APP_ID:2706] [NOT:0000006000] Check automatic actions configured
[Thread-321] [INFO] [APP_ID:2706] [NOT:0000006000] Check manual actions configured
[Thread-321] [INFO] [APP_ID:2706] [NOT:0000006000] Closing reasons missing from QRadar: []
Look for errors "Invalid API key secret" or "Unknown basic authentication clientId." These errors describe whether you are using the wrong API key ID or secret.

Resolving The Problem

Ensure you copy the API Key Secret properly, testing in a text editor first.
  1. Select Copy to Clipboard
    image-20230201122246-3
  2. Using the option Copy to Clipboard, the API Key ID and Secret is copied in this format: 
    Key ID: aaaaaaaa-bbbb-cccc-dddd-111111111111/Key Secret: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
  3. Paste to a notepad
    Note: Save key and secret to teams password management utility.
  4. Paste the key ID into the API Key ID field:
    image-20230201123723-4
  5. Paste the Key Secret to the API Key Secret field:
    image-20230201124040-6

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSA230","label":"IBM Security QRadar SOAR"},"ARM Category":[{"code":"a8m0z0000001gyGAAQ","label":"Integrations-\u003EQRadar app"}],"ARM Case Number":"TS011774983","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTDPP","label":"IBM Cloud Pak for Security"},"ARM Category":[{"code":"a8m0z0000001h8pAAA","label":"Cases"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEGM63","label":"IBM Security QRadar SOAR on Cloud"},"ARM Category":[{"code":"a8m0z0000001gyGAAQ","label":"Integrations-\u003EQRadar app"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
01 February 2023

UID

ibm16856437

Page Feedback