IBM Support

IJ08977: MICROSOFT OFFICE 365 LOG SOURCE CAN STOP COLLECTING WITH 'ERROR -AN ERROR OCCURRED INDICATING THAT THE REQUIRED CERTIFICATE..'

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR status

  • Closed as program error.

Error description

  • It has been identified that Microsoft Office 365 Log Sources
    can stop collecting and display a messaage similar to: "ERROR -
    An error occurred indicating that the required certificate(s)
    is not installed. In the Automatically Acquire Server
    Certificate(s) field, select Yes from the list to automatically
    download the required certificate(s)."
    
    Messages similar to the following might be visible in
    /var/log/qradar.error when this issue is occurring:
    [ecs-ec] [EXCHANGE1903]
    com.q1labs.frameworks.crypto.Q1X509TrustManager: [WARN]
    [NOT:0000004000][127.0.0.1/- -] [-/- -]Rejecting SSL/TLS
    connection because server presented unrecognized certificate.
    The chain sent by the server is:
    [ecs-ec] [EXCHANGE1903]
    com.q1labs.frameworks.crypto.Q1X509TrustManager: [WARN]
    [NOT:0000004000][127.0.0.1/- -] [-/- -]    Subject =
    CN=graph.windows.net
    [ecs-ec] [EXCHANGE1903]
    com.q1labs.frameworks.crypto.Q1X509TrustManager: [WARN]
    [NOT:0000004000][127.0.0.1/- -] [-/- -]    Subject =
    CN=Microsoft IT TLS CA 1, OU=Microsoft IT, O=Microsoft
    Corporation, L=Redmond, ST=Washington, C=US
    [ecs-ec] [EXCHANGE1903]
    com.q1labs.frameworks.crypto.Q1X509TrustManager: [WARN]
    [NOT:0000004000][127.0.0.1/- -] [-/- -]The current certificate
    white list is:
    [ecs-ec] [EXCHANGE1903]
    com.q1labs.frameworks.crypto.Q1X509TrustManager: [WARN]
    [NOT:0000004000][127.0.0.1/- -] [-/- -]    Subject =
    CN=Microsoft IT TLS CA 4, OU=Microsoft IT, O=Microsoft
    Corporation, L=Redmond, ST=Washington, C=US
    [ecs-ec] [EXCHANGE1903]
    com.q1labs.frameworks.crypto.Q1X509TrustManager: [WARN]
    [NOT:0000004000][127.0.0.1/- -] [-/- -]    Subject =
    CN=manage.office.com, OU=Microsoft Corporation, O=Microsoft
    Corporation, L=Redmond, ST=WA, C=US
    [ecs-ec] [EXCHANGE1903]
    com.q1labs.frameworks.crypto.Q1X509TrustManager: [WARN]
    [NOT:0000004000][127.0.0.1/- -] [-/- -]    Subject =
    CN=Microsoft IT TLS CA 2, OU=Microsoft IT, O=Microsoft
    Corporation, L=Redmond, ST=Washington, C=US
    [ecs-ec] [EXCHANGE1903]
    com.q1labs.frameworks.crypto.Q1X509TrustManager: [WARN]
    [NOT:0000004000][127.0.0.1/- -] [-/- -]To establish trust in
    this server certificate, place a copy in
    /opt/qradar/conf/trusted_certificates
    [ecs-ec] [EXCHANGE1903]
    com.q1labs.frameworks.crypto.Q1X509TrustManager: [WARN]
    [NOT:0000004000][127.0.0.1/- -] [-/- -]Enable log4j logging for
    class com.q1labs.frameworks.crypto.Q1X509TrustManager for
    certificate
    

Local fix

  • Contact Support for a possible workaround that might address
    this issue in some instances.
    

Problem summary

  • It has been identified that Microsoft Office 365 Log Sources
    can stop collecting and display a messaage similar to: "ERROR -
    An error occurred indicating that the required certificate(s)
    is not installed. In the Automatically Acquire Server
    Certificate(s) field, select Yes from the list to automatically
    download the required certificate(s)."
    
    Messages similar to the following might be visible in
    /var/log/qradar.error when this issue is occurring:
    [ecs-ec] [EXCHANGE1903]
    com.q1labs.frameworks.crypto.Q1X509TrustManager: [WARN]
    [NOT:0000004000][127.0.0.1/- -] [-/- -]Rejecting SSL/TLS
    connection because server presented unrecognized certificate.
    The chain sent by the server is:
    [ecs-ec] [EXCHANGE1903]
    com.q1labs.frameworks.crypto.Q1X509TrustManager: [WARN]
    [NOT:0000004000][127.0.0.1/- -] [-/- -]    Subject =
    CN=graph.windows.net
    [ecs-ec] [EXCHANGE1903]
    com.q1labs.frameworks.crypto.Q1X509TrustManager: [WARN]
    [NOT:0000004000][127.0.0.1/- -] [-/- -]    Subject =
    CN=Microsoft IT TLS CA 1, OU=Microsoft IT, O=Microsoft
    Corporation, L=Redmond, ST=Washington, C=US
    [ecs-ec] [EXCHANGE1903]
    com.q1labs.frameworks.crypto.Q1X509TrustManager: [WARN]
    [NOT:0000004000][127.0.0.1/- -] [-/- -]The current certificate
    white list is:
    [ecs-ec] [EXCHANGE1903]
    com.q1labs.frameworks.crypto.Q1X509TrustManager: [WARN]
    [NOT:0000004000][127.0.0.1/- -] [-/- -]    Subject =
    CN=Microsoft IT TLS CA 4, OU=Microsoft IT, O=Microsoft
    Corporation, L=Redmond, ST=Washington, C=US
    [ecs-ec] [EXCHANGE1903]
    com.q1labs.frameworks.crypto.Q1X509TrustManager: [WARN]
    [NOT:0000004000][127.0.0.1/- -] [-/- -]    Subject =
    CN=manage.office.com, OU=Microsoft Corporation, O=Microsoft
    Corporation, L=Redmond, ST=WA, C=US
    [ecs-ec] [EXCHANGE1903]
    com.q1labs.frameworks.crypto.Q1X509TrustManager: [WARN]
    [NOT:0000004000][127.0.0.1/- -] [-/- -]    Subject =
    CN=Microsoft IT TLS CA 2, OU=Microsoft IT, O=Microsoft
    Corporation, L=Redmond, ST=Washington, C=US
    [ecs-ec] [EXCHANGE1903]
    com.q1labs.frameworks.crypto.Q1X509TrustManager: [WARN]
    [NOT:0000004000][127.0.0.1/- -] [-/- -]To establish trust in
    this server certificate, place a copy in
    /opt/qradar/conf/trusted_certificates
    [ecs-ec] [EXCHANGE1903]
    com.q1labs.frameworks.crypto.Q1X509TrustManager: [WARN]
    [NOT:0000004000][127.0.0.1/- -] [-/- -]Enable log4j logging for
    class com.q1labs.frameworks.crypto.Q1X509TrustManager for
    certificate
    

Problem conclusion

  • This issue was fixed in QRadar 728, 730, 731. DSM updates have
    been released to FixCentral and OEM Sites.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ08977

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    728

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-09-06

  • Closed date

    2019-01-09

  • Last modified date

    2019-01-09

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels



Document information

More support for: IBM QRadar SIEM

Software version: 728

Reference #: IJ08977

Modified date: 09 January 2019