IBM Support

QRadar: "An application framework certificate is expiring soon and needs to be replaced" due to framework certificates expiration

Troubleshooting


Problem

Administrators receive notifications about the expiration of their certificates, preventing the updating, restarting, or updating of applications.

Symptom

When the administrator opens the notifications, the following error displays: 
An application framework certificate is expiring soon and needs to be replaced.
cert

Diagnosing The Problem

The issue can be verified from the user interface or from the command line.

User Interface
  1. Log in to the QRadar user interface as an administrator user.
  2. Click the notifications tab to see the alerts.

    Result
    The error message "An application framework certificate is expiring soon and need to be replaced" is displayed.
Command line
  1. Use SSH to log in to the QRadar Console as the root user.
  2. Type the following command to search for the 'update the certificate soon' messages. 
    grep -E 'update the certificate soon' /var/log/qradar.log
    Output example:
    Note: for this documentation, the cert name is tomcat_client_traefik. 
    [WARN] The certificate named tomcat_client_traefik will expire on 
Wed Apr 19 12:57:23 EDT 2023. Please update the certificate soon.
    Result
    The administrator can see the certificate will expire error on qradar.log.

Resolving The Problem

To resolve this issue, administrators can regenerate the certificate expired on the Console. This procedure is always run on the Console, even if administrator has an App Host appliance.
After the certificate name is found (check the Diagnosing The Problem section), follow the next steps to regenerate it:
  1. Use SSH to log in to the QRadar Console as the root user.
  2. Restart the qradarca-monitor service. 
    systemctl restart qradarca-monitor
  3. Check whether the certificates are OK once the qradarca-monitor service is restarted: 
    openssl verify -CAfile /etc/pki/tls/cert.pem /etc/tomcat/tls/traefik/tomcat-client-traefik.cert
    Output example: 
    /etc/tomcat/tls/traefik/tomcat-client-traefik.cert: OK
  4. If it still shows an error in the certificate, run the following command to find the certificate ID, replace <cert_name> with the cert expired: 
    /opt/qradar/ca/bin/si-qradarca list -print | grep "<cert_name>"
    Command example: 
    /opt/qradar/ca/bin/si-qradarca list -print | grep "tomcat-client-traefik.cert"
    Output example 
    ---- 18,mutual-client,/opt/qradar/ca/conf.d/tomcat-client-traefik.json,/etc/tomcat/tls/traefik/tomcat-client-traefik.cert,13
    Note: the ID is 18.
  5. Run the following command, use the ID to regenerate the certificate, replace <ID> with the cert ID. The command does not have any output. This behavior is expected and it means that the command worked well. 
    /opt/qradar/ca/bin/reset-qradar-ca.sh <ID> --reset
    Command example: 
    /opt/qradar/ca/bin/reset-qradar-ca.sh 18 --reset
  6. Verify that the certificate was regenerated, run the following command: 
    openssl verify -CAfile /etc/pki/tls/cert.pem /etc/tomcat/tls/traefik/tomcat-client-traefik.cert
    Output example: 
    [root@console ~]# openssl verify -CAfile /etc/pki/tls/cert.pem /etc/tomcat/tls/traefik/tomcat-client-traefik.cert
/etc/tomcat/tls/traefik/tomcat-client-traefik.cert: OK

    Result
    The alert about the certificates expired is not displayed anymore. If the administrator continues to experience issues, contact QRadar Support for assistance.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
13 July 2023

UID

ibm16995881

Page Feedback