Troubleshooting
Problem
Administrators receive notifications about the expiration of their certificates, preventing the updating, restarting, or updating of applications.
Symptom
When the administrator opens the notifications, the following error displays:
An application framework certificate is expiring soon and needs to be replaced.
Diagnosing The Problem
The issue can be verified from the user interface or from the command line.
User Interface
- Log in to the QRadar user interface as an administrator user.
- Click the notifications tab to see the alerts.
Result
The error message "An application framework certificate is expiring soon and need to be replaced" is displayed.
Command line
- Use SSH to log in to the QRadar Console as the root user.
- Type the following command to search for the 'update the certificate soon' messages.
grep -E 'update the certificate soon' /var/log/qradar.log
Note: for this documentation, the cert name is tomcat_client_traefik.[WARN] The certificate named tomcat_client_traefik will expire on Wed Apr 19 12:57:23 EDT 2023. Please update the certificate soon.
The administrator can see the certificate will expire error on qradar.log.
Resolving The Problem
To resolve this issue, administrators can regenerate the certificate expired on the Console. This procedure is always run on the Console, even if administrator has an App Host appliance.
After the certificate name is found (check the Diagnosing The Problem section), follow the next steps to regenerate it:
- Use SSH to log in to the QRadar Console as the root user.
- Restart the qradarca-monitor service.
systemctl restart qradarca-monitor
- Check whether the certificates are OK once the qradarca-monitor service is restarted:
openssl verify -CAfile /etc/pki/tls/cert.pem /etc/tomcat/tls/traefik/tomcat-client-traefik.cert
Output example:/etc/tomcat/tls/traefik/tomcat-client-traefik.cert: OK
- If it still shows an error in the certificate, run the following command to find the certificate ID, replace <cert_name> with the cert expired:
/opt/qradar/ca/bin/si-qradarca list -print | grep "<cert_name>"
/opt/qradar/ca/bin/si-qradarca list -print | grep "tomcat-client-traefik.cert"
---- 18,mutual-client,/opt/qradar/ca/conf.d/tomcat-client-traefik.json,/etc/tomcat/tls/traefik/tomcat-client-traefik.cert,13
Note: the ID is 18. - Run the following command, use the ID to regenerate the certificate, replace <ID> with the cert ID. The command does not have any output. This behavior is expected and it means that the command worked well.
/opt/qradar/ca/bin/reset-qradar-ca.sh <ID> --reset
/opt/qradar/ca/bin/reset-qradar-ca.sh 18 --reset
-
Verify that the certificate was regenerated, run the following command:
openssl verify -CAfile /etc/pki/tls/cert.pem /etc/tomcat/tls/traefik/tomcat-client-traefik.cert
[root@console ~]# openssl verify -CAfile /etc/pki/tls/cert.pem /etc/tomcat/tls/traefik/tomcat-client-traefik.cert /etc/tomcat/tls/traefik/tomcat-client-traefik.cert: OK
Result
The alert about the certificates expired is not displayed anymore. If the administrator continues to experience issues, contact QRadar Support for assistance.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
13 July 2023
UID
ibm16995881