Troubleshooting
Problem
Administrators can receive a system notification about the QRadar_SAML certificate closed to expire or expired. The notification alerts occur despite SAML is not the authentication method configure on the system instructing the administrators to renew the certificate as soon as possible.
This article guides administrators to renew the certificate and stop the system notification to trigger.
Symptom
- In the Console's user interface, a system notification shows a warning about certificate expiration.
When the certificate is closed to expire, the following alert is received daily:The certificate named QRadar_SAML will expire on <date>. Please update the certificate soon.
When the certificate is expired already, the following alert is received daily:The certificate named QRadar_SAML has expired. Please update the certificate as soon as possible.
- Users might not log in to the Console's user interface, when default authentication is used.
Cause
There are two common reasons for these alerts to show:
- The SAML certificate is closed to expired or is already expired.
- QRadar Console SSL certificate expired and it defaults back to the self-signed certificate.
Diagnosing The Problem
To diagnose this problem, administrators must verify the expiration date of the QRadar_SAML or the SSL certificate.
- Verify the QRadar_SAML certificate is signed by the "QRADAR_SAML-CA" and expires in less than 14 days or is already expired.
openssl x509 -in /opt/qradar/conf/SAMLAuthentication/SP/QRadarSAML.crt -noout -issuer -subject -dates
Output Example:[root@qradar-console01]# openssl x509 -in /opt/qradar/conf/SAMLAuthentication/SP/QRadarSAML.crt -noout -issuer -subject -dates issuer= /CN=QRADAR_SAML-CA subject= /CN=qradar-console01.test.local notBefore=Jun 10 02:31:54 2022 GMT notAfter=Jun 10 02:31:54 2023 GMT
The notAfter line shows the date when the certificate expires.
- Verify the previous certificate was replaced by the QRadar SSL certificate signed by the QRadar Local CA.
To check the previous certificate, run:openssl x509 -in /etc/httpd/conf/certs/cert.cert.orig -noout -issuer -subject -dates
Output Example:[root@qradar-console01]# openssl x509 -in /etc/httpd/conf/certs/cert.cert.orig -noout -issuer -subject -dates issuer= /CN=Digicert CA subject= /CN=qradar-console01.test.local notBefore=Dec 6 16:16:33 2021 GMT notAfter=Dec 6 16:16:33 2022 GMT
To check the current certificate signed by QRadar Local CA, run:openssl x509 -in /etc/httpd/conf/certs/cert.cert -noout -issuer -subject -dates
[root@qradar-console01]# openssl x509 -in /etc/httpd/conf/certs/cert.cert -noout -issuer -subject -dates issuer= /CN=QRadar Local CA subject= /CN=qradar-console01.test.local notBefore=Dec 6 16:16:33 2021 GMT notAfter=Dec 6 16:16:33 2023 GMT
Resolving The Problem
The SAML certificate is expired or close to expire
Administrators must renew the QRadar_SAML certificate.
- Log in to the QRadar Console user interface as an administrator user.
- Click the Admin tab.
- In the User Management menu, click Authentication.
- Click Authentication Module Settings.
- Display the authentication and select SAML 2.0.
- Scroll to the Service Provider Configuration section.
- In the Certificate for signing and encryption menu, ensure the QRadar_SAML is selected and click Renew.
Note: When the certificate is renewed, the following menu is prompted. - Close the Authentication menu without clicking the Save Authentication Module.
Note: Because SAML is not used for authentication, administrators must not save the authentication module as it overwrites the authentication method to be used.
Result
The QRadar_SAML cert is now renewed and the alert no longer triggers.
The Console SSL certificate needs to be renewed. Administrators must follow a specific procedure depending on whether the SSL certificate is issued by internal or trusted third-party certificate authorities.
- For QRadar deployments that use self-sign certificate, see Reverting to certificates that are generated by the QRadar local CA.
- For QRadar deployments that use Trusted third-party certificate authorities (CA), create a Certificate Signing Request (CSR) and share it with the certificate authority.
- For a single domain CSR, follow: Creating an SSL certificate signing request with 2048-bit RSA keys.
- For multi-domain CSR, follow: Creating a multi-domain (SAN) SSL certificate signing request.
- When the certificate authority provides the signed certificate, install the certificate by following: Installing a new SSL certificate.
Result
The QRadar SSL cert is now renewed and the alert no longer triggers.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
26 July 2022
UID
ibm16591107