IBM Support

QRadar: Unable to SSH from a managed host to the Console QRadar 7.2.0 to 7.2.4

Troubleshooting


Problem

The managed host(s) were unable to communicate to the console

Symptom

The QRadar managed hosts is displaying the following error:


Deploy Global Set:  Cannot download file /store/configservices/configurationsets/globalset_list.xml from the console (count 1). Exit Code 1
ERROR:  Permission denied, please try again.
ERROR: Permission denied (publickey,password).

Cause

The failure to download files from the Console appliance is most likely due to a SSH key problem or permission settings on files.

Environment

QRadar 7.2.0 to 7.2.4

Note: The instructions described in this article do not apply to QRadar 7.2.5 and above.

Diagnosing The Problem

QRadar uses SSH for communications between managed hosts, this communication cannot be blocked by firewalls. SSH communication must be bi-directional between the QRadar Console and managed hosts over TCP Port 22.

About key authentication for SSH

To ease communications between managed hosts, public key and private key authentication is used. The directory where authentication files are kept is /root/.ssh. The permissions set on the .ssh directory should be: d r w x - - - - - - and if the permissions are wrong, the administrator should correct the permission value using chmod 700 /root/.ssh.

The four files found in .ssh (with the expected permissions) are:

FilePermissionDescription
id_rsa-rw-------This is the root user's private key file. This file must reside on the box you are connecting from.
id_rsa.pub-rw-------This is the root user's public key file. This file must be copied to boxes that you want to connect to using SSH.
authorized_keys-rw-------This file contains copies of user(s) .pub files and is used to authenticate incoming users.
known_hosts-rw-------This file contains copies of host(s) .pub files that the user has connected to.


If the console cannot connect to itself without a password, the id_rsa.pub file is not in authorized_keys.

There are two options that and administrator can choose:

  1. To repair authorized_keys on the console, type: cat id_rsa.pub >> authorized_keys .
    This appends id_rsa.pub to the end of authorized_keys without overwriting other keys.
  2. Optionally, type: cp id_rsa.pub authorized_keys .
    This option over writes authorized_keys and leaves only the root's .pub key in it.

    If you need to remove individual keys from authorized_keys, use vi or another text editor.

    When you add a managed host, QRadar will normally copy id_rsa, id_rsa.pub, and authorized_keys from /root/.ssh on the QRadar console to /root/.ssh on the managed host.

    Note: You might see id_dsa and id_dsa.pub instead of id_rsa and id_rsa.pub. These are key files which use the Digital Signature Algorithm instead of the RSA algorithm.

Resolving The Problem

Make sure /root and /root/.ssh/ directories have the correct permissions.
Also make sure the files inside /root/.ssh/ directory also have the correct permissions.

Note: This solution only works for 7.2.0 through 7.2.4. In 7.2.5 and greater SSH is only allowed from the console to the managed hosts without a password for enhanced security.




    Procedure to re-create the SSH key's
    1. Key needs to be generated on the QRadar box, or the box you will SSH out of.
    2. Command to re-create SSH keys is as follow: ssh-keygen -t rsaaccept the default location. You can change it, but it is just easiest to use the default /root/.ssh/id_rsa.
    3. Do not put any pass phrase in. Its optional, you can but unnecessary.
    4. The authorized key file needs to be updated on the target SSH box.

-------
Where do you find more information?



[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General Information","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21902543