IBM Support

QRadar: Troubleshooting connection issues with the test_tomcat_connection script

Troubleshooting


Problem

Users might encounter issues when the test_tomcat_connection script runs leading to connection failures. This technote provides steps to diagnose and resolve common connectivity problems.

Diagnosing The Problem

Connection Refused

This error message indicates issues with the Tomcat service or underlying network problems. When connection problems are present, the script output might look like the following:

[ERROR] [-/- -]Error invoking remote method System.testTomcatConnection with arguments [] for result 'N/A'
               java.net.ConnectException: Connection refused (Connection refused)
Follow the steps in the Resolving The Problem section for a possible solution.
 

Missing Certificates

This error message indicates a failure in the Tomcat connection test due to Apache certificate discrepancies between the managed host and the console. To resolve this issue, follow these steps:

[-/- -]The Apache certificates on the managed host do not match the certificates on the Console. Tomcat connection test failed.
[-/- -]No connection to tomcat

Follow the steps in the Resolving The Problem section for a possible solution.
 

Hostname verification failed

This error message indicates that the hostname is either missing or incorrect in the configuration files. This error can lead to symptoms such as connection rejection and services failing to request data.

[ERROR] Hostname verification failed for <hostname>, connection rejected. 
[ERROR] Error invoking remote method System.testTomcatConnection with arguments [] for result 'N/A' 
[main] java.io.IOException: HTTPS hostname wrong: should be <hostname>
Follow the steps in the Resolving The Problem section for a possible solution.
 

Unrestricted JCE Jar files

Administrators upgrading to QRadar 7.5.0 UP1 with unrestricted JCE policy files can experience hostcontext service initialization failures after the upgrade completes, also the following output can be seen for the test_tomcat_connection script:

Caused by:
  java.lang.SecurityException: Jurisdiction policy files are not signed by trusted signers!
  at javax.crypto.b.a(Unknown Source)
  at javax.crypto.b.c(Unknown Source)
Follow the steps in the Resolving The Problem section for a possible solution.
 

Resolving The Problem

Connection Refused

The "Connection Refused" errors in the test_tomcat_connection.sh script might indicate issues with the Tomcat service, underlying network problems, or SSH tunnel issues. Run the following steps for guidance on how to resolve the issue.
  1. Use SSH to log in to the QRadar Console as the root user.
  2. Use SSH to log in to the affected host.
  3. Test the connection to the Tomcat:
    • For encrypted hosts:
      1. Test the connection to the console's Tomcat port (443/tcp) port:
        nc -zv 127.0.0.1 443
        Expected output:
        Ncat: Version 7.50 ( https://nmap.org/ncat )
        Ncat: Connected to 127.0.0.1:443.
        Ncat: 0 bytes sent, 0 bytes received in X seconds.
      2. Check to see whether the SSH Tunnel is connected:
        ss -nalp | grep '443'
        Expected output:
        tcp    LISTEN     0      128       *:443                    *:*                   users:(("sshd",pid=X,fd=X))
        If the above line is missing, that indicates SSH tunnel issues. To solve this issue, refer to QRadar: About Secure Shell (SSH) for guidance or contact QRadar Support for assistance.
    • For nonencrypted hosts:
      1. Test the connection to the console's Tomcat port (443/tcp) port:
        nc -zv <console_IP> 443
        Expected output:
        Ncat: Version 7.50 ( https://nmap.org/ncat )
        Ncat: Connected to <console_ip>:443.
        Ncat: 0 bytes sent, 0 bytes received in X seconds.
        If the connection is refused, that means networking issues and administrators must contact their respective networking team to fix the issues.

        Result
        All services stay up and the connection to Tomcat is established. If it continues to fail, contact QRadar Support for assistance.
         

Missing certificates

The error message indicates a failure in the Tomcat connection due to Apache certificate discrepancies between the managed host and the console. To resolve this issue, follow these steps:

  1. Use SSH to log in to the QRadar Console as the root user.
  2. Copy the console's SSL certificate to the managed host's /storetmp partition:
    scp /etc/httpd/conf/certs/cert.cert root@<managed_host_ip>:/storetmp/
  3. Use SSH to log in to the affected host.
  4. Create a backup directory for the current certificates:
    mkdir -pv /store/ibm_support/old_certs
  5. Copy the old certificates to the backup directory:
    cp -pv /etc/httpd/conf/certs/* /store/ibm_support/old_certs/
  6. Move the new certificate into the certificates directory:
    mv -v /storetmp/cert.cert /etc/httpd/conf/certs/cert.cert
  7. Restart the hostcontext service:
    systemctl restart hostcontext;sleep 1m
  8. Test the connection again:
    /opt/qradar/bin/test_tomcat_connection.sh
    Result
    All services stay up and the connection to Tomcat is established. If it continues to fail, contact QRadar Support for assistance.

Hostname Verification failed

An Issue might arise when hostname verification fails during the Tomcat connection test between the console and the managed host. This error can lead to connection rejection and services failing to request data. To resolve the issue, follow these steps:

  1. Use SSH to log in to the QRadar Console as the root user.
  2. Use SSH to log in to the affected host.
  3. Use grep to get the NVAWEBURL parameter:
    grep 'NVAWEBURL=' /opt/qradar/conf/nva.conf
    Expected output:
    NVAWEBURL=https://<console_fqdn>
    If the output is different, continue with the next steps.
  4. Create a backup directory:
    mkdir -pv /store/ibm_support
  5. Create a backup of the nva.conf file:
    cp -v /opt/qradar/conf/nva.conf /store/ibm_support/nva.conf_bk
  6. Set the console FQDN:
    Note: replace <console_fqdn> with the console's FQDN.
    console_fqdn="<console_fqdn>"
    Example:
    console_fqdn="qradar-console.lab.net"
  7. Use sed to fix the wrong parameter:
    sed -i "s/^NVAWEBURL=https:\/\/.*/NVAWEBURL=https:\/\/$console_fqdn/g" /opt/qradar/conf/nva.conf
  8. Verify that the parameter is correct now:
    grep 'NVAWEBURL=' /opt/qradar/conf/nva.conf
    Expected output:
    NVAWEBURL=https://<console_fqdn>
  9. Restart the hostcontext service:
    systemctl restart hostcontext;sleep 1m
  10. Test the connection again:
    /opt/qradar/bin/test_tomcat_connection.sh
    Result
    All services stay up and the connection to Tomcat is established. If it continues to fail, contact QRadar Support for assistance.

Unrestricted JCE Policy Files

Administrators upgrading to QRadar 7.5.0 UP1 with unrestricted JCE policy files might experience hostcontext service initialization failures after the upgrade is complete. Run the following steps to solve this problem:

  1. Use SSH to log in to the QRadar Console as the root user.
  2. Confirm that the unrestricted JCE Policy files exist:
    /opt/qradar/support/all_servers.sh -Ck "ls -1 /opt/ibm/java-x86_64-80/jre/lib/security/*.jar"
    Expected output to confirm the issue:
    /opt/ibm/java-x86_64-80/jre/lib/security/local_policy.jar
    /opt/ibm/java-x86_64-80/jre/lib/security/US_export_policy.jar
  3. Remove the conflicting files:
    /opt/qradar/support/all_servers.sh -Ck "rm -f /opt/ibm/java-x86_64-80/jre/lib/security/local_policy.jar /opt/ibm/java-x86_64-80/jre/lib/security/US_export_policy.jar"
  4. Confirm that the files were removed:
    /opt/qradar/support/all_servers.sh -Ck "ls -1 /opt/ibm/java-x86_64-80/jre/lib/security/*.jar"
    Result
    All services stay up and the connection to Tomcat is established. If it continues to fail, contact QRadar Support for assistance.

Related Information

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
08 December 2023

UID

ibm17080071