IBM Support

IJ44076: AFTER UPGRADING TO QRADAR 7.5.0, KNOWN_HOSTS KEYS CAN BE REMOVEDUNEXPECTEDLY CAUSING SSH ERRORS

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Users reported that upgrades to QRadar 7.5.0 UP2 or later can
experience an issue where the known_hosts entries are removed
when a host is unreachable or does not responsd in a timely
manner to the ssh-keyscan tool. This causes SSH connections to
be temporarily unavailable until the known hosts list is
regenerated.

Users who experience this issue can have issues with SSH, adding
managed hosts or Data Gateway appliances for QRadar on Cloud.

Environment
- Have a deployment with a Console and encrypted managed hosts.
- Upgrade to QRadar 7.5.0 UP2 or later. This issue was reported
  in QRadar 7.5.0 UP2, 7.5.0 UP3, and 7.5.0 UP4 versions.
- SSH is not available from the Console to the managed host and
  a 'Host key verification failed' message is displayed.

Local fix

  • To recreate the known_hosts list on the Console, type the
following command:

ssh-keyscan -t ecdsa IPOFHOST >> /root/.ssh/known_hosts

For example, SSH is unavailable from the Console after an
upgrade of a managed host with an IP address of 10.1.1.1. The
Console must have keys to communicate to the managed host,
otherwise a 'Host key verification failed' error is displayed.
Typing the following command on the Console resolved the issue:

ssh-keyscan -t ecdsa 10.1.1.1 >> /root/.ssh/known_hosts

Problem summary

  • This issue has been resolved in QRadar 7.5.0 Update Package 6.

Problem conclusion

  • This issue has been resolved in QRadar 7.5.0 Update Package 6.

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IJ44076
    • 

  • Reported component name
    QRADAR SOFTWARE
    • 

  • Reported component ID
    5725QRDSW
    • 

  • Reported release
    750
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2022-11-01
    • 

  • Closed date
    2023-06-26
    • 

  • Last modified date
    2023-06-26
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    QRADAR SOFTWARE
    • 

  • Fixed component ID
    5725QRDSW
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"750","Line of Business":{"code":"LOB24","label":"Security Software"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            26 June 2023
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback