IBM Support

QRadar: Failed to generate Keystore "Failed to generate keystore /etc/docker/tls/registry/docker-client-registry.p12"



Administrators receive a notification in the system notification menu related to the failure to generate the keystore file. When this error is present on the system, it can affect starting, stopping, updating, or installing applications.


In the System Notification menu, the following error is displayed:


After the QRadar version was updated, the system shows the error notification due to the keystore file was not created correctly or removed.


QRadar 7.4.0 and later.

Diagnosing The Problem

The issue can be verified in two ways (GUI and CLI).

In the GUI

  1. Log in to the QRadar Console GUI as the administrator user.
  2. Click the System Notification menu.
    bell Icon
  3. Click the Errors tab and the error "A keystore generation operation for the application framework failed. See the payload for specific details" is displayed.bell icon

In the CLI

  1. Log in to the QRadar Console as the root user.
  2. Run the grep command and search for the error message in /var/log/qradar.error.
    grep 'keyStore' /var/log/qradar.error
    Output Example
    [ERROR][-/- -]Failed to generate keystore /etc/docker/tls/registry/docker-client-registry.p12. 
    Failure reason Failed to insert application credential for docker-client-registry into the database
    [ERROR][-/- -]Unable to read keystore docker-client registry.p12
    [ERROR][-/- -]Unable to build ssl context for mutual tls, using keyStore [/etc/docker/tls/registry/docker-client-registry.p12]
    [-/- -] [pool-1-thread-1] keystore password was incorrect

Resolving The Problem

  1. Log in to the QRadar Console command line as the root user.
  2. Ensure docker-client-registry.p12 is present inside /etc/docker/tls/registry/:
    ls -l /etc/docker/tls/registry/
  3. Run the following script to regenerate the keystore file:
    /opt/qradar/bin/ -c /etc/docker/tls/registry/docker-client-registry.cert -k /etc/docker/tls/registry/docker-client-registry.key -s /etc/docker/tls/registry/docker-client-registry.p12
  4. Run the following command again inside /etc/docker/tls/registry/ to check whether the keystore regenerated successfully:
    ls -l /etc/docker/tls/registry/
    Output example

The docker-client-registry.p12 keystore file is present on the console. Wait for 24 hours and confirm that the system did not create a new notification regarding the keystore file. If the administrator continues to experience issues, contact QRadar Support for assistance.

Document Location


[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.4.3;and future releases"}]

Document Information

Modified date:
31 October 2022