IBM Support

QRadar: How to fix the CRL Expiry errors in Disconnected Log Collector (DLC)

Troubleshooting


Problem

Errors related to an expired Check Revocation List (CRL) are reported in the DLC error log. To address this issue, it is recommended to adjust a specific property in the framework properties file.

Symptom

Example of the error message shown in the dlc.error file:
[-/- -]Errors in loading a valid Q1X509Crl from /opt/ibm/si/services/dlc/conf/cached_crl/http\crl.identrust.com\DSTROOTCAX3CRL.crl
com.q1labs.frameworks.crypto.trustmanager.exceptions.Q1CRLExpiredException: 
Crl expired: IssuerDN [CN=DST Root CA X3, O=Digital Signature Trust Co.]

Cause

Currently, the property trustmanager.enableCRLDP in the /opt/ibm/si/services/dlc/conf/framework.properties file is set to true. Changing this value to false is the suggested solution. By making this modification, future occurrences of the error are prevented, as it disables the generation of the CRL-related error when the property is set to false.

Resolving The Problem

  1. SSH to the server where you have installed the DCL. 
  2. Stop the dlc process by running the following command:
    systemctl stop dlc
  3. Run the following command to navigate to the directory that contains the CRL file:
    cd /opt/ibm/si/services/dlc/conf/cached_crl
  4. Back up the file http\crl.identrust.com\DSTROOTCAX3CRL.crl file, use the following command:
    cp /opt/ibm/si/services/dlc/conf/cache_crl/http\crl.identrust.com\DSTROOTCAX3CRL.crl /tmp/support/
  5. Remove the original CRL file, run the following command:
    rm http\crl.identrust.com\DSTROOTCAX3CRL.crl
  6. Edit the /opt/ibm/si/services/dlc/conf/framework.properties file and make the following change.  In the file, find: trustmanager.enableCRLDP=true   and set to:   trustmanager.enableCRLDP=false
  7. Start the dlc process again:
    systemctl start dcl
  8. Wait for a moment for the service to start and check the logs to ensure the issue is resolved.

    Result
    The error messages stops showing in the dlc.error log. If the issue persists, contact QRadar Support for assistance.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt9AAA","label":"DLC"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
07 June 2024

UID

ibm17095754