IBM Support

IJ25789: TLS SYSLOG LOG SOURCE CAN FAIL TO WORK AFTER USING INCORRECT PRIVATE KEY AT SETUP EVEN AFTER IT HAS BEEN CORRECTED

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as Permanent restriction.

Error description

  • A TLS Syslog Log Source can fail to ingest events when
    initially configured with an incorrect private key even after
    the private key has been corrected.
    Messages similar to the following might be visible in
    /var/log/qradar.log when this issue is occurring:
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-26717]
    com.q1labs.semsources.sources.tlssyslog.TLSSecurityManager:
    [ERROR] Error adding key to TLS keystore.
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-26717]
    java.security.spec.InvalidKeySpecException: Inappropriate key
    specification: PrivateKeyInfo parsing error.
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-26717]    at
    com.ibm.crypto.provider.RSAKeyFactory.engineGeneratePrivate(Unkn
    own Source)
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-26717]    at
    java.security.KeyFactory.generatePrivate(KeyFactory.java:383)
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-26717]    at
    com.q1labs.semsources.sources.tlssyslog.TLSSecurityManager.addKe
    yToKeyStore(TLSSecurityManager.java:408)
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-26717]    at
    com.q1labs.semsources.sources.tlssyslog.TLSSyslogProvider.setupS
    erverKeyStore(TLSSyslogProvider.java:487)
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-26717]    at
    com.q1labs.semsources.sources.tlssyslog.TLSSyslogProvider.preExe
    cuteConfigure(TLSSyslogProvider.java:94)
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-26717]    at
    com.q1labs.semsources.sources.base.SourceProvider.run(SourceProv
    ider.java:181)
    

Local fix

  • 1. Rename the certificate to any new name
    2. Disable/enable the log source.
    The log source should then work and retrieve events as expected.
    

Problem summary

  • We have identified this issue as a permanent restriction for
    this integration. A fix for this issue will not be provided.
    

Problem conclusion

  • We have identified this issue as a permanent restriction for
    this integration. A fix for this issue will not be provided.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ25789

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    732

  • Status

    CLOSED PRS

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-06-23

  • Closed date

    2021-04-27

  • Last modified date

    2021-04-27

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"732"}]

Document Information

Modified date:
28 April 2021