IBM Support

QRadar: Common issues and troubleshooting for auto update version 9.11

Troubleshooting


Problem

On 8 November 2021, the QRadar development team released a new version of auto update version 9.11 for QRadar Consoles. If you are on auto update version 9.9 or earlier, you might experience auto update download errors. Administrators who experience issues with their auto update servers can review this technical note to confirm their auto update version. 
 
 
What's new in auto update V9.11
  • Added an intermediate certificate named au-cert-chain.pem, replacing au-cert.pem.
  • Improves installation dependencies and RPM conflict resolution when updates run.
  • Reduces wait times for failed downloads.
  • Other small quality of life improvements.

Symptom

Administrators who manually install RPM or use a version of auto update before 9.10 can experience errors issues to the IBM Cloud. The latest version of auto update is 9.11 requires a new intermediate certificate chain pem file to retrieve the latest auto updates.
  1. Log in to the Console as an administrator.
  2. In the Admin tab, click the Auto Update icon and select View Log.
  3. Verify the automatic update history to determine the cause of the installation error.

Cause

  1. Administrators on auto update version 9.9 or earlier must update to 9.11 or later using the AUProxyFP-9.11 from IBM Fix Central.
    Or
  2. Administrators on auto update version 9.10 might need to replace their au-cert file with a new version for updates to download.

Diagnosing The Problem

How to confirm your auto update version
Administrators must verify their auto update version before they attempt to resolve their auto update issues.
  1. Use SSH to log in to the QRadar Console as the root user.
  2. To view your auto update version, type:
    /opt/qradar/bin/UpdateConfs.pl -v
  3. The output displays the current version installed on the Console. For example,
    [root@qradar-lab ~]# /opt/qradar/bin/UpdateConfs.pl -v
    9.16
  4. Review the resolution section for your auto update version.

Resolving The Problem

Auto update 9.9 or earlier: "Could not retrieve signature for manifest errors"

Administrators on auto update version 9.9 or earlier can experience connection issues due to deprecated GPG keys. When older versions of auto update software attempt to connect to IBM Cloud, a 'Could not retrieve signature for manifest file'. To resolve this error, administrators can run the QRadar-AUProxyFP utility from IBM Fix Central.

Error log example

Fri Nov 5 10:30:06 2021 [DEVEL] Downloading "dau/dau.manifest.xml.asc" and placing in "/store/autoupdates/". 
Fri Nov 5 10:30:06 2021 [DEVEL] Attempting to retrieve https://auto-update.qradar.ibmcloud.com
/dau/dau.manifest.xml.asc?version=7.4.3&customer=Example%20ExampleCorp.&lastau=0&lastpatch=0
&vendor=Q1%20Labs 
Fri Nov 5 10:30:06 2021 [INFO] Could not retrieve "dau/dau.manifest.xml.asc": 404 Not Found 
Fri Nov 5 10:30:06 2021 [ERROR] Could not retrieve signature for the manifest file.

Procedure
  1. Use SSH to log in to the QRadar Console as the root user.
  2. Navigate to the /var/log/autoupdates directory.
  3. To locate the latest auto update log, type:
    ls -lart
    The output displays the auto update logs by date. For example,
    [root@qradar-lab]# ls -lart
    drwxr-xr-x   2 root root   66 Nov 11 15:40 AU-1636662807
    drwxr-xr-x   2 root root   66 Nov 10 15:40 AU-1631778909
    drwxr-xr-x   2 root root   66 Nov 09 15:40 AU-1636490007
  4. Navigate to the directory with the most recent auto update log by date.
  5. Review the log for error messages. For example,
    less AU-1636662807.log | grep 'Could not retrieve signature'
    
    Important: If the auto update version is 9.9 or earlier and the signature error is present in your auto update log, run the AUProxyFP-9.11 update.
  6. Download the Auto Update Fix Pack utility from IBM Fix Central to your laptop or workstation: AUProxyFP.tgz.
  7. Copy the file to a directory of the QRadar Console, such as /root, /tmp, or /storetmp.
  8. Navigate to the directory with the AUProxyFP.tgz file.
  9. Type the following command to extract the file:
    tar -zxvf AUProxyFP.tgz
    If you experience an issue extracting the file with tar command, type:
    gunzip -c AUProxyFP.tgz | tar zxvf -
  10. Type the following command to install the proxy fix pack:
    ./install.sh
  11. In the Admin tab, click the Auto Update icon and click Get New Updates.
  12. Optional. After you start the auto update request, you can confirm your auto update version is updated.
    [root@qradar-lab]# /opt/qradar/bin/UpdateConfs.pl -v
    9.10
    
    Results
    Wait for the auto update to run and confirm the update is successful. If you continue to experience errors, contact QRadar Support.

Auto update 9.10 and later: "Bad signature, Rejecting the manifest errors"

Administrators on auto update version 9.10 or later can experience an issue where the au-cert.pem file is an old version, which can cause the IBM Cloud server to return a 'Bad signature' error. If you experience this error, you can delete the au-cert.pem file from your Console and run a manual auto update.

Error log example

Mon Nov 8 03:08:11 2021 [DEVEL] Running: openssl x509 -in /tmp/au_cert -pubkey -noout > /tmp/au_pub 
Mon Nov 8 03:08:11 2021 [DEVEL] openssl dgst -sha256 -verify /tmp/au_pub -signature /store/autoupdates/scripts
/AUScripts.tgz.sig /store/autoupdates/scripts/AUScripts.tgz /var/log/autoupdates/AU-1636358882/AU-1636358882.log 
>> /var/log/autoupdates/AU-1636358882/AU-1636358882.log 2>&1 
Mon Nov 8 03:08:11 2021 [DEVEL] Output of verification command above: Verification Failure 
Mon Nov 8 03:08:11 2021 [ERROR] Bad signature! Rejecting the manifest, aborting 
Mon Nov 8 03:08:11 2021 [ERROR] Could not verify the authenticity of scripts/AUScripts.tgz. 

Procedure
  1. Use SSH to log in to the QRadar Console as the root user.
  2. Navigate to the /store/autoupdates directory.
  3. Remove the file au-cert.pem file. For example,
    rm au-cert.pm
  4. Run an auto update to receive an updated au-cert-chain.pem file.
    1. In the Admin tab, click the Auto Update icon and click Get New Updates.
      Or
    2. To start an auto update from the command line, type:
      /opt/qradar/bin/UpdateConfs.pl -ds runnow 1
Results
When the Console connects to the auto update server, it replaces the removed au-cert file with a new file named au-cert-chain. Wait for the auto update to run.  If the auto update fails, administrators can run the AUProxyFP-9.11 utility. For information on running AUProxyFP-9.11, see Auto update 9.9 or earlier: "Could not retrieve signature for manifest errors" in this technical note. If you continue to experience errors, contact QRadar Support.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtDAAQ","label":"Auto Update"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
20 December 2022

UID

ibm16515880