IBM Support

QRadar: How to update an application tomcat-client-conman.cert certificate when you receive notification about expiration

Troubleshooting


Problem

The system issues a warning notification: An application framework certificate is expiring soon and needs to be replaced.

Diagnosing The Problem

To find the certificate that is about to expire, search for "update the certificate soon" in /var/log/qradar.log

Cat /var/log/qradar.log | grep -i tomcat-client-conman
Warning example: 
[WARN] [NOT:0000013102] The certificate named tomcat-client-conman will 
expire on Tue <Time date and year>. Please update the certificate soon.

Resolving The Problem

Perform the following steps:
  1. Run the following command to find the certificate name and replace <cert_name> with the certificate name: 
    /opt/qradar/ca/bin/si-qradarca list -print | grep "<cert_name>"
    For this example, the certificate name displayed in the alert is tomcat-client-conman.cert, so, the command is: 
    /opt/qradar/ca/bin/si-qradarca list -print | grep "tomcat-client-conman.cert"
    Output: 
    ---- 17,mutual-client,/opt/qradar/ca/conf.d/tomcat-client-conman.json,/etc/tomcat/tls/conman/tomcat-client-conman.cert,3
  2. Use the ID at the beginning of the output to reset the tomcat-client-conman certificate. In this case, it is 17: 
    /opt/qradar/ca/bin/reset-qradar-ca.sh 17 --reset
    Output: 
    Start resetting the certificate from id 17
  3. Restart qradarca-monitor service by using the following command: 
    systemctl restart qradarca-monitor
  4. You can verify by using the following command:
    /opt/qradar/support/validate_cert.sh | grep tomcat-client-conman
Expire date for /etc/tomcat/tls/conman/tomcat-client-conman.cert is: May 24 06:31:42 2023 GMT
Validating /etc/tomcat/tls/conman/tomcat-client-conman.cert
Cert file /etc/tomcat/tls/conman/tomcat-client-conman.cert has passed chain validation
Cert file /etc/tomcat/tls/conman/tomcat-client-conman.cert has passed the modulus check
Result
The certificate alert is not displayed anymore.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.4.0;and future releases"}]

Document Information

Modified date:
15 March 2023

UID

ibm16957676

Page Feedback