IBM Support

QRadar: Patch update failed with error "Found that some security profiles are assigned only deleted domains"

Troubleshooting


Problem

A QRadar patch update fails due to a precheck that checks the Security profiles. From QRadar 7.4.3 and later, there must not exist a security profile not assigned to an active domain.

Symptom

In the /var/log/setup-xxx/patches.log file, the following error is displayed:
[QRADAR-2843] [ ] Checking the association between security profiles and domains...
The system detected an issue that indicates a misconfiguration.
Found that some security profiles are assigned only deleted domains.
Security profile [<Security Profile Name>] is only assigned deleted domains. Assign [<Security Profile Name>] an active domain, or delete [<Security Profile Name>] to continue 
Correct the domains assigned to the security profiles listed above and run the patch again

Cause

When a domain is deleted, the Security profile assigned to that domain has to either be reassigned to another domain or be deleted.

Diagnosing The Problem

Note: Test1 is used as example of an orphaned security profile. The administrators must use the security profile reported by the patch on their systems.
  1. Log in to the QRadar Console as an administrator.
  2. Click the Admin tab.
  3. Click Security Profiles.
  4. In the left pane, select the security profile reported by the patch.
  5. In the Summary tab, the message "At least one domain item must be assigned" is displayed.

    Figure01
     

Resolving The Problem

As reported by the patch, there are 2 options to resolve the issue, reassign the security profile to an active domain when required, or delete it when it is not required.
Reassign the Security Profile to an active Domain
  1. Log in to the QRadar Console as an administrator.
  2. Click the Admin tab.
  3. Click Security Profiles.
  4. In the left pane, select the security profile reported by the patch.
  5. In the right pane, select the Domains tab.
  6. In the domain list, select an existing domain.
    Note: In this technote, "Test2" is an active domain. The administrators must choose an active domain on their systems.
  7. Click the > button to assign the conflicting security profile to an active domain.
  8. Click Save.

    Figure02
     
Delete the Security Profile
  1. Log in to the QRadar Console as an administrator.
  2. Click the Admin tab.
  3. Click Security Profiles.
  4. In the left pane, select the security profile reported by the patch.
  5. In the top menu, click Delete.
  6. Click Save.

    Figure03
     

Results
The administrators can run the QRadar patch again and it passes the error.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtdAAA","label":"Upgrade"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.4.3;and future releases"}]

Document Information

Modified date:
27 April 2022

UID

ibm16572645

Page Feedback