Troubleshooting
Problem
Diagnosing The Problem
Connection Refused
This error message indicates issues with the Tomcat service or underlying network problems. When connection problems are present, the script output might look like the following:
[ERROR] [-/- -]Error invoking remote method System.testTomcatConnection with arguments [] for result 'N/A'
java.net.ConnectException: Connection refused (Connection refused)
Missing Certificates
This error message indicates a failure in the Tomcat connection test due to Apache certificate discrepancies between the managed host and the console. To resolve this issue, follow these steps:
[-/- -]The Apache certificates on the managed host do not match the certificates on the Console. Tomcat connection test failed.
[-/- -]No connection to tomcat
Hostname verification failed
This error message indicates that the hostname is either missing or incorrect in the configuration files. This error can lead to symptoms such as connection rejection and services failing to request data.
[ERROR] Hostname verification failed for <hostname>, connection rejected.
[ERROR] Error invoking remote method System.testTomcatConnection with arguments [] for result 'N/A'
[main] java.io.IOException: HTTPS hostname wrong: should be <hostname>
Unrestricted JCE Jar files
Administrators upgrading to QRadar 7.5.0 UP1 with unrestricted JCE policy files can experience hostcontext service initialization failures after the upgrade completes, also the following output can be seen for the test_tomcat_connection script:
Caused by:
java.lang.SecurityException: Jurisdiction policy files are not signed by trusted signers!
at javax.crypto.b.a(Unknown Source)
at javax.crypto.b.c(Unknown Source)
Resolving The Problem
Connection Refused
- Use SSH to log in to the QRadar Console as the root user.
- Use SSH to log in to the affected host.
- Test the connection to the Tomcat:
- For encrypted hosts:
- Test the connection to the console's Tomcat port (443/tcp) port:
nc -zv 127.0.0.1 443
Expected output:Ncat: Version 7.50 ( https://nmap.org/ncat ) Ncat: Connected to 127.0.0.1:443. Ncat: 0 bytes sent, 0 bytes received in X seconds.
- Check to see whether the SSH Tunnel is connected:
ss -nalp | grep '443'
Expected output:tcp LISTEN 0 128 *:443 *:* users:(("sshd",pid=X,fd=X))
If the above line is missing, that indicates SSH tunnel issues. To solve this issue, refer to QRadar: About Secure Shell (SSH) for guidance or contact QRadar Support for assistance.
- Test the connection to the console's Tomcat port (443/tcp) port:
- For nonencrypted hosts:
- Test the connection to the console's Tomcat port (443/tcp) port:
nc -zv <console_IP> 443
Expected output:Ncat: Version 7.50 ( https://nmap.org/ncat ) Ncat: Connected to <console_ip>:443. Ncat: 0 bytes sent, 0 bytes received in X seconds.
Result
All services stay up and the connection to Tomcat is established. If it continues to fail, contact QRadar Support for assistance.
- Test the connection to the console's Tomcat port (443/tcp) port:
- For encrypted hosts:
Missing certificates
The error message indicates a failure in the Tomcat connection due to Apache certificate discrepancies between the managed host and the console. To resolve this issue, follow these steps:
- Use SSH to log in to the QRadar Console as the root user.
- Copy the console's SSL certificate to the managed host's /storetmp partition:
scp /etc/httpd/conf/certs/cert.cert root@<managed_host_ip>:/storetmp/
- Use SSH to log in to the affected host.
- Create a backup directory for the current certificates:
mkdir -pv /store/ibm_support/old_certs
- Copy the old certificates to the backup directory:
cp -pv /etc/httpd/conf/certs/* /store/ibm_support/old_certs/
- Move the new certificate into the certificates directory:
mv -v /storetmp/cert.cert /etc/httpd/conf/certs/cert.cert
- Restart the hostcontext service:
systemctl restart hostcontext;sleep 1m
- Test the connection again:
/opt/qradar/bin/test_tomcat_connection.sh
All services stay up and the connection to Tomcat is established. If it continues to fail, contact QRadar Support for assistance.
Hostname Verification failed
An Issue might arise when hostname verification fails during the Tomcat connection test between the console and the managed host. This error can lead to connection rejection and services failing to request data. To resolve the issue, follow these steps:
- Use SSH to log in to the QRadar Console as the root user.
- Use SSH to log in to the affected host.
- Use grep to get the NVAWEBURL parameter:
grep 'NVAWEBURL=' /opt/qradar/conf/nva.conf
Expected output:NVAWEBURL=https://<console_fqdn>
If the output is different, continue with the next steps. - Create a backup directory:
mkdir -pv /store/ibm_support
- Create a backup of the nva.conf file:
cp -v /opt/qradar/conf/nva.conf /store/ibm_support/nva.conf_bk
- Set the console FQDN:
Note: replace <console_fqdn> with the console's FQDN.console_fqdn="<console_fqdn>"
Example:console_fqdn="qradar-console.lab.net"
- Use sed to fix the wrong parameter:
sed -i "s/^NVAWEBURL=https:\/\/.*/NVAWEBURL=https:\/\/$console_fqdn/g" /opt/qradar/conf/nva.conf
- Verify that the parameter is correct now:
grep 'NVAWEBURL=' /opt/qradar/conf/nva.conf
Expected output:NVAWEBURL=https://<console_fqdn>
systemctl restart hostcontext;sleep 1m
Restart the hostcontext service:
- Test the connection again:
/opt/qradar/bin/test_tomcat_connection.sh
All services stay up and the connection to Tomcat is established. If it continues to fail, contact QRadar Support for assistance.
Unrestricted JCE Policy Files
Administrators upgrading to QRadar 7.5.0 UP1 with unrestricted JCE policy files might experience hostcontext service initialization failures after the upgrade is complete. Run the following steps to solve this problem:
- Use SSH to log in to the QRadar Console as the root user.
- Confirm that the unrestricted JCE Policy files exist:
/opt/qradar/support/all_servers.sh -Ck "ls -1 /opt/ibm/java-x86_64-80/jre/lib/security/*.jar"
Expected output to confirm the issue:/opt/ibm/java-x86_64-80/jre/lib/security/local_policy.jar /opt/ibm/java-x86_64-80/jre/lib/security/US_export_policy.jar
- Remove the conflicting files:
/opt/qradar/support/all_servers.sh -Ck "rm -f /opt/ibm/java-x86_64-80/jre/lib/security/local_policy.jar /opt/ibm/java-x86_64-80/jre/lib/security/US_export_policy.jar"
- Confirm that the files were removed:
/opt/qradar/support/all_servers.sh -Ck "ls -1 /opt/ibm/java-x86_64-80/jre/lib/security/*.jar"
All services stay up and the connection to Tomcat is established. If it continues to fail, contact QRadar Support for assistance.
Related Information
Was this topic helpful?
Document Information
Modified date:
08 December 2023
UID
ibm17080071