IBM Support

QRadar: Packet Capture continuum user account password reset

Question & Answer


Question

How do you change the password on the packet capture appliance?

Answer

After patching to QRadar Packet Capture version 7.2.8 it has been observed that the PCAP User Interface fails after entering in user authentication credentials.
An error message is displayed in the logs similar to:
Can't establish connection to the server <pcap_ip>:<port>


Changing the PCAP Password QRadar 7.2.8 and above


There have been many changes between versions of the PCAP software and they tend to reset the username or password to the default – continuum and "P@ck3t08.." during patches.

Please be sure that any custom user accounts on the PCAP have been recreated. This procedure will allow you to you to change the default password and add users and passwords.
Log in to the PCAP appliance on port 4477 using an SSH session by typing the command:
ssh -p 4477  Appliance_IP_address
Note:
You might to need to use the default username and password.

Users can remove the default password with their own using the command:
/usr/local/nc/bin/nc_user_manager delete continuum
continuum has been deleted
 
Users  can add  the new password with the command:
/usr/local/nc/bin/nc_user_manager add continuum $(read -e -p "Password: " -s pass;echo $pass) Admin
continuum has been added
 
This section of the command, $(read -e -p "Password: " -s pass;echo $pass), allows for the customer to type their password without it being echoed to the screen or kept in the bash history.  


 

Once the PCAP users have been fixed the PCAP password will need to be re-entered for the Forensics managed host under Component Management so it can be re-encrypted. To do this:
 
  1. Log in to the QRadar Console UI.
  2. Open the Admin settings:  
    1. In IBM Security QRadar V7.3.1, click the navigation menu ☰ , and then click Admin to open the Admin tab.
    2. In IBM Security QRadar V7.3.0 or earlier, click the Admin tab.
  3. Click System and License Management.
  4. Highlight each type 6000 Appliance.
  5. From Deployment Actions pull-down menu select Edit Host.
  6. Click the Gear next to Component Management.
  7. Re-enter each PCAP password
  8. Click Save.
Results: You have changed the PCAP password.


Where do you find more information?



[{"Product":{"code":"SSMU35","label":"IBM QRadar Network Packet Capture Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Configuration","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
28 October 2020

UID

swg22001341