IBM Support

Cloud Pak for Security: Updating QRadar Data Connector configuration with new token not working

Troubleshooting


Problem

Updating a QRadar Data Connector Access Configuration with a new Authentication Token does not update, and continues to use the original Authentication Token in Cloud Pak for Security.

Diagnosing The Problem

  1. Log in to QRadar.
  2. Create new Authentication Token to be used for the Data Connector access.
  3. Log in to Cloud Pak for Security (CP4S).
  4. Go to the upper left stack select Connections > Data Sources > select a QRadar Data Source to edit.
  5. Scroll to Configuration.
  6. Select the edit pen for any of the access configurations.
  7. Press the Reset value for the Authentication Token.
  8. Input the new Token created within QRadar, from step 2.
  9. Save the configuration.
  10. Save the Data Connector.
  11. Go to TII.
  12. Select a report, or bundle.
  13. Run a scan against the Data Connector Access that was updated with the new Authentication Token.
  14. SSH to the QRadar Console.
  15. Check logs to verify whether new token is in use: 
    grep "<new authentication token name>" /var/log/audit/audit.log
    Note: Replace <new authentication token name> with the old token name. If the issue exists, nothing is found. 
    grep "<old authentication token name>" /var/log/audit/audit.log
    Note: Replace <old authentication token name> with the old token name. If the old token is still used, the issue exists; verify with time stamps.

Resolving The Problem

  1. Log to Cloud Pak for Security (CP4S).
  2. Go to upper left stack and select Connections > Data Sources > select the problem QRadar Data Source to DELETE
  3. Delete the nonworking Access Configuration.
  4. Make a new Access Configuration with the new QRadar Authentication Token.
  5. Ensure that the rest of the access was put back in place for the users.
  6. Save the configuration.
  7. Save the Data Connector.
  8. Go to TII and select a report, or bundle.
  9. Run a scan against the Data Connector Access that was updated with the new Authentication Token.
  10. Go to QRadar.
  11. SSH into the QRadar console.
  12. Verify logs show the new token use: 
    cd /var/log/audit
grep "<new authentication token name>" audit.log
    Note:  Replace <new authentication token name> with the new token name. 

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTDPP","label":"IBM Cloud Pak for Security"},"ARM Category":[{"code":"a8m0z0000001jPEAAY","label":"Support-\u003EData Source"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1.9.0"}]

Document Information

Modified date:
24 April 2023

UID

ibm16985039

Page Feedback