IBM Support

QRadar: "Certificate expires soon" or "certificate is expired" alert for QRadar_SAML certificate when SAML authentication is not in use.

Troubleshooting


Problem

Administrators can receive a system notification about the QRadar_SAML certificate closed to expire or expired. The notification alerts occur despite SAML is not the authentication method configure on the system instructing the administrators to renew the certificate as soon as possible.
This article guides administrators to renew the certificate and stop the system notification to trigger.

Symptom

  • In the Console's user interface, a system notification shows a warning about certificate expiration.

    When the certificate is closed to expire, the following alert is received daily:
    The certificate named QRadar_SAML will expire on <date>. Please update the certificate soon.
    When the certificate is expired already, the following alert is received daily:
    The certificate named QRadar_SAML has expired. Please update the certificate as soon as possible.
  • Users might not log in to the Console's user interface, when default authentication is used.

Cause

There are two common reasons for these alerts to show:
  • The SAML certificate is closed to expired or is already expired.
  • QRadar Console SSL certificate expired and it defaults back to the self-signed certificate.

Diagnosing The Problem

To diagnose this problem, administrators must verify the expiration date of the QRadar_SAML or the SSL certificate.
  1. Verify the QRadar_SAML certificate is signed by the "QRADAR_SAML-CA" and expires in less than 14 days or is already expired.
     
    openssl x509 -in /opt/qradar/conf/SAMLAuthentication/SP/QRadarSAML.crt -noout -issuer -subject -dates
    Output Example:
    [root@qradar-console01]# openssl x509 -in /opt/qradar/conf/SAMLAuthentication/SP/QRadarSAML.crt -noout -issuer -subject -dates
    issuer= /CN=QRADAR_SAML-CA
    subject= /CN=qradar-console01.test.local
    notBefore=Jun 10 02:31:54 2022 GMT
    notAfter=Jun 10 02:31:54 2023 GMT
    The notAfter line shows the date when the certificate expires.
     
  2. Verify the previous certificate was replaced by the QRadar SSL certificate signed by the QRadar Local CA.

    To check the previous certificate, run:
    openssl x509 -in /etc/httpd/conf/certs/cert.cert.orig -noout -issuer -subject -dates
    When an SSL certificate is reverted, QRadar appends "orig" to its name.

    Output Example:
    [root@qradar-console01]# openssl x509 -in /etc/httpd/conf/certs/cert.cert.orig -noout -issuer -subject -dates
    issuer= /CN=Digicert CA
    subject= /CN=qradar-console01.test.local
    notBefore=Dec  6 16:16:33 2021 GMT
    notAfter=Dec  6 16:16:33 2022 GMT
    

    To check the current certificate signed by QRadar Local CA, run:
    openssl x509 -in /etc/httpd/conf/certs/cert.cert -noout -issuer -subject -dates
    Output Example:
    [root@qradar-console01]# openssl x509 -in /etc/httpd/conf/certs/cert.cert -noout -issuer -subject -dates
    issuer= /CN=QRadar Local CA
    subject= /CN=qradar-console01.test.local
    notBefore=Dec  6 16:16:33 2021 GMT
    notAfter=Dec  6 16:16:33 2023 GMT
    

Resolving The Problem

The SAML certificate is expired or close to expire
Administrators must renew the QRadar_SAML certificate.
  1. Log in to the QRadar Console user interface as an administrator user.
  2. Click the Admin tab.
  3. In the User Management menu, click Authentication.
  4. Click Authentication Module Settings.
  5. Display the authentication and select SAML 2.0.
    Figure01
  6. Scroll to the Service Provider Configuration section.
  7. In the Certificate for signing and encryption menu, ensure the QRadar_SAML is selected and click Renew.
    Figure02
    Note: When the certificate is renewed, the following menu is prompted.
    Figure03
  8. Close the Authentication menu without clicking the Save Authentication Module.
    Note: Because SAML is not used for authentication, administrators must not save the authentication module as it overwrites the authentication method to be used.

    Result
    The QRadar_SAML cert is now renewed and the alert no longer triggers.
     
Console SSL certificate is expired
The Console SSL certificate needs to be renewed. Administrators must follow a specific procedure depending on whether the SSL certificate is issued by internal or trusted third-party certificate authorities.
  1. For QRadar deployments that use self-sign certificate, see Reverting to certificates that are generated by the QRadar local CA.
  2. For QRadar deployments that use Trusted third-party certificate authorities (CA), create a Certificate Signing Request (CSR) and share it with the certificate authority.
    1. For a single domain CSR, follow: Creating an SSL certificate signing request with 2048-bit RSA keys.
    2. For multi-domain CSR, follow: Creating a multi-domain (SAN) SSL certificate signing request.
  3. When the certificate authority provides the signed certificate, install the certificate by following: Installing a new SSL certificate.

Result
The QRadar SSL cert is now renewed and the alert no longer triggers.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
26 July 2022

UID

ibm16591107