IBM Support

IJ21567: RESET OF QRADAR CERTIFICATES CAN FAIL WHEN QRADARCA-MONITOR SERVICE IS RUNNING AT THE SAME TIME

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • The reset-qradar-ca.sh script can fail to reset all
    certificates properly if it encounters the same time as
    qradarca-monitor service is running.
    Messages similar to the following might be visible in
    /var/log/localca.log when this issue is occurring:
    time="2019-10-03T12:36:57-04:00" level=debug msg="Start loading
    configurations from /opt/qradar/ca/conf.d/conman-server.json"
    time="2019-10-03T12:36:57-04:00" level=debug msg="Checking
    certificate /etc/conman/tls/conman_ca.crt expiration status for
    local host"
    time="2019-10-03T12:36:57-04:00" level=warning msg="Certificate
    /etc/conman/tls/conman_ca.crt was not found. Preparing to
    generate new certificate"
    time="2019-10-03T12:36:57-04:00" level=debug msg="Certificate
    /etc/conman/tls/conman_ca.crt is close to expire. Regenerate
    the certificate"
    time="2019-10-03T12:36:57-04:00" level=debug msg="Regenerating
    dependent certificate id=4, type=intermediate,
    file=/etc/conman/tls/conman_ca.crt,
    cfg=/opt/qradar/ca/conf.d/conman-server.json"
    time="2019-10-03T12:36:57-04:00" level=debug msg="Start loading
    configurations from /opt/qradar/ca/conf.d/conman-server.json"
    time="2019-10-03T12:36:57-04:00" level=info msg="Setup
    intermediate CA for service conman"
    time="2019-10-03T12:37:00-04:00" level=debug msg="127.0.0.1->
    <fqdn>" action=command
    time="2019-10-03T12:37:00-04:00" level=debug msg="Appliance
    Type: 4000\tProduct Version: 7.3.2.20190522204210"
    action=command
    time="2019-10-03T12:37:00-04:00" level=debug msg=" 12:36:56 up
    83 days,  1:43,  0 users,  load average: 2.33, 2.35, 2.19"
    action=command
    time="2019-10-03T12:37:00-04:00" level=debug
    msg=------------------------------------------------------------
    ------------ action=command
    time="2019-10-03T12:37:00-04:00" level=debug action=command
    time="2019-10-03T12:37:00-04:00" level=info msg="Setup CSR
    /etc/vault-qrd/tls/vault-qrd.csr for service vault-qrd under
    host 10.170.30.182"
    time="2019-10-03T12:37:01-04:00" level=debug msg="INFO:
    Retrieving /etc/vault-qrd/tls/vault-qrd.csr from each server,
    will be placed in separate from-x.x.x.x directories under
    /opt/qradar/ca/certs" action=pull
    time="2019-10-03T12:37:01-04:00" level=debug action=pull
    time="2019-10-03T12:37:01-04:00" level=debug msg="<ipadress>
    -> <hostname>" action=pull
    time="2019-10-03T12:37:01-04:00" level=debug msg="Appliance
    Type: 1400\tProduct Version: 7.3.2.20190522204210" action=pull
    time="2019-10-03T12:37:01-04:00" level=debug msg=" 12:37:00 up
    83 days, 14:38,  0 users,  load average: 2.45, 2.48, 2.57"
    action=pull
    time="2019-10-03T12:37:01-04:00" level=warning msg="CSR path
    /opt/qradar/ca/certs/from-10.170.30.182/vault-qrd.csr does not
    exist"
    time="2019-10-03T12:37:01-04:00" level=debug
    msg=------------------------------------------------------------
    ------------ action=pull
    time="2019-10-03T12:37:01-04:00" level=debug msg="rsync:
    change_dir \"/etc/vault-qrd/tls\" failed: No such file or
    directory (2)" action=pull
    time="2019-10-03T12:37:01-04:00" level=debug msg="rsync error:
    some files/attrs were not transferred (see previous errors)
    (code 23) at main.c(1650) [Receiver=3.1.2]" action=pull
    time="2019-10-03T12:37:01-04:00" level=debug msg="rsync:
    [Receiver] write error: Broken pipe (32)" action=pull
    time="2019-10-03T12:37:01-04:00" level=debug action=pull
    time="2019-10-03T12:37:01-04:00" level=info msg="Run command
    /opt/ibm/si/vault-qrd/bin/tls-certs-updated.sh"
    time="2019-10-03T12:37:04-04:00" level=error msg="Failed to
    generate intermediate CA for service conman" error="exit status
    1"
    time="2019-10-03T12:37:04-04:00" level=error msg="Failed to
    regenerate the intermediate certificate
    /etc/conman/tls/conman_ca.crt"
    And In the /var/log/setup-xxx/configure-qradar-ca.log:
    [configure-qradar-ca.sh] [RunAndLog] /opt/qradar/bin/si-vault
    write -format=json
    conman-int-pki/intermediate/generate/exported
    common_name="CONMAN-CA" ttl=26280h key_bits=4096
    exclude_cn_from_sans=true > /tmp/tmp.GGQWCqN3KK
    [configure-qradar-ca.sh] Export intermediate CA key file to
    /var/tmp/qradar_int.key
    [configure-qradar-ca.sh] [RunAndLog] /opt/qradar/bin/si-vault
    write -format=json qradar-pki/root/sign-intermediate
    csr="@/var/tmp/qradar_int.csr" common_name="CONMAN-CA"
    ttl=26280h > /tmp/tmp.33wItN4riu
    Error writing data to qradar-pki/root/sign-intermediate: Error
    making API request.
    

Local fix

  • Contact Support for a possible workaround that might address
    this issue in some instances.
    

Problem summary

  • This issue was fixed in QRadar QRM QVM release of 7.3.3 FixPack
    4 and 7.4.0 FixPack 1.
    

Problem conclusion

  • This issue was fixed in QRadar QRM QVM release of 7.3.3 FixPack
    4 and 7.4.0 FixPack 1.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ21567

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    732

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-12-11

  • Closed date

    2020-07-28

  • Last modified date

    2020-07-28

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels

[{"Business Unit":{"code":"BU029","label":"Software"},"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"732"}]

Document Information

Modified date:
29 July 2020