IBM Support

IJ32029: LOG SOURCES CONFIGURED TO USE THE VMWARE PROTOCOL CAN STOP WORKING AFTER INSTALLING UPDATED PROTOCOL VERSION

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Log Sources configured to use the VMware protocol can stop
    working and display "Invalid Credentials when initializing
    EMCVmWareProtocol" after installing a new EMCVmware protocol
    rpm manually or via the AutoUpdate feature in QRadar.
    Affected
    Protocol RPM versions:
    PROTOCOL-EMCVMWareProtocol-7.3-2020091617
    1440.noarch.rpm
    
    PROTOCOL-EMCVMWareProtocol-7.4-20200916171516.noarch.rpm
    Run
    the following command to identify the currently installed rpm
    version from an SSH session to the QRadar Console for
    verification of this identified issue:
    # rpm -qa | grep -i
    emcvmwareprotocol
    Messages similar to the following might be
    visible in /var/log/qradar.log when this issue is
    occurring:
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-246] Caused
    by: java.rmi.RemoteException: VI SDK invoke
    exception:java.rmi.RemoteException: VI SDK invoke
    exception:org.dom4j.DocumentException:
    org.dom4j.DocumentFactory incompatible with
    org.dom4j.DocumentFactory
    [ecs-ec-ingress.ecs-ec-ingress]
    [Thread-246] at com.vmware.vim25.ws.WSClient.invoke(Unknown
    Source)
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-246] at
    com.vmware.vim25.ws.VimStub.retrieveServiceContent(Unknown
    Source)
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-246] at
    com.vmware.vim25.mo.ServiceInstance.<init>(Unknown
    Source)
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-246] at
    com.vmware.vim25.mo.ServiceInstance.<init>(Unknown
    Source)
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-246] at com.q1la
    bs.semsources.sources.vmware.api.VmApi.init(VmApi.java:90)
    [ecs-
    ec-ingress.ecs-ec-ingress] [Thread-246] ... 4
    more
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-246]
    com.q1labs.semsources.sources.vmware.EMCVmWareProtocol: [DEBUG]
    EMC Vm Ware Protocol Provider 'class
    com.q1labs.semsources.sources.vmware.VmWareAPIProvider6'
    changed state from STARTING to STOPPED.
    

Local fix

  • The workaround is QRadar version dependent.
    NOTE: Restarting
    the ecs-ec-ingress service stops event collection.
    https://www.i
    bm.com/support/pages/qradar-core-services-and-impact-when-restar
    ted
    
    For QRadar 7.4.x:
    Remove the file /opt/ibm/si/services/ecs-
    ec-ingress/eventgnosis/lib/q1labs/dom4j.jar
    Restart
    ecs-ec-ingress (Admin > Advanced > Restart Event Collection
    Service)
    
    For QRadar 7.3.x:
    Remove the file /opt/ibm/si/services
    /ecs-ec-ingress/current/bin/dom4j-1.3.jar
    Restart
    ecs-ec-ingress (version 7.3.1 and newer: Admin > Advanced >
    Restart Event Collection Service)
    

Problem summary

  • Resolves an issue where Log Sources configured to use the VMware
     protocol can stop working and display "Invalid Credentials when
     initializing EMCVmWareProtocol" after installing a new
    EMCVmware protocol rpm manually or via the AutoUpdate feature in
     QRadar.
    
    Affected Protocol RPM versions:
    PROTOCOL-EMCVMWareProtocol-7.3-2020091617
    1440.noarch.rpm
    PROTOCOL-EMCVMWareProtocol-7.4-20200916171516.noarch.rpm
    
    This fix is available in the weekly auto update for 6 October
    2021 and in the following RPM(s) on IBM Fix Central:
    PROTOCOL-EMCVMWareProtocol-7.3-20210913151300.noarch.rpm
    PROTOCOL-EMCVMWareProtocol-7.4-20210913151257.noarch.rpm
    

Problem conclusion

  • This fix is available in the weekly auto update for 6 October
    2021 and in the following RPM(s) on IBM Fix Central:
    PROTOCOL-EMCVMWareProtocol-7.3-20210913151300.noarch.rpm
    PROTOCOL-EMCVMWareProtocol-7.4-20210913151257.noarch.rpm
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ32029

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    730

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2021-04-09

  • Closed date

    2021-10-26

  • Last modified date

    2021-10-26

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"730"}]

Document Information

Modified date:
27 October 2021