IBM Support

QRadar: Application installation displays 'An internal error occurred attempting to serve the Extension Management request'

Troubleshooting


Problem

Administrators who try install or upgrade applications can experience an issue "An internal error occurred attempting to serve the Extension Management request" from the Extension Management user interface. When this error is displayed, applications and content packs cannot be installed by using the Extension Management as the keystore used for public signatures cannot be decoded. This technical note walks users though how to resolve the issue.

Symptom

When the administrator adds an application or content pack file in the extension management tool, the following error displays: An internal error occurred attempting to serve the Extension Management request.
image-20230407142335-1

 

Cause

The password of the extension validation keystore cannot be decrypted.

Diagnosing The Problem

The issue can be verified from user interface or from the command line.

User Interface
  1. Log in to the QRadar Console as an administrator.
  2. Click the Admin tab.
  3. Click the Extensions Management icon.
    image-20230407143050-2
  4. Click Add.
  5. Click Browse and navigate to find the extension.
  6. Select the Install immediately checkbox.
    image-20230407143220-3
  7. Click Add to install the application.

    Result
    The error message "An internal error occurred attempting to serve the Extension Management request" is displayed.
Command line
Optional. Users with root access to the command line can review the qradar.log file to verify the application failed to install with an "Unable to validate signature" error message.
  1. Log in to the QRadar Console as the root user.
  2. Type the following command to search for the "Unable to validate signature" messages. 
    grep -E 'Unable to validate signature' /var/log/qradar.log
    Output example: 
    [tomcat.tomcat] [admin@xxxx.xxxx.xxxx (1133) /console/restapi/api/config/extension_management/extensions] 
com.q1labs.restapi_annotations.content.exceptions.endpointExceptions.ServerProcessingException: 
Unable to validate signature of [/store/cmt/exports/IBM_QRadar_SOAR_v5.0.0.zip]

    Result
    In this example, the search located an 'Unable to validate signature' error related to an extension update.

Resolving The Problem

To resolve this issue, administrators can update the public keystore value on the Console. This procedure is always run on the Console, even if administrators have an App Host appliance installed.

Before you begin
Administrators can complete this procedure during a scheduled change window. This procedure restarts Tomcat, which logs off users, stops Log Activity exports, and prevents scheduled scans or reports from starting while the Tomcat service restarts.

Procedure
  1. Log in to the QRadar Console command line as the root user.
  2. Run the following commands on the Console to decrypt the keystore: 
    PASS=$(perl -I /opt/qradar/lib/Q1/ -e "use auCrypto; use MIME::Base64; print Q1::auCrypto::encrypt(decode_base64('TlZAZnIzZDg4IQ=='));")
    sed -i "s[EXTENSION_VALIDATION_KEYSTORE_PASSWORD=\(.*\)[EXTENSION_VALIDATION_KEYSTORE_PASSWORD=$PASS[" /store/configservices/staging/globalconfig/nva.conf | grep EXTENSION_VALIDATION_KEYSTORE_PASSWORD
  3.  Restart Hostcontext and Tomcat services: 
    systemctl stop hostcontext && systemctl restart tomcat && systemctl start hostcontext
  4. Log in to the user interface as an administrator.
  5. Click the Admin tab.
  6. Click Advanced > Deploy Full Configuration.
  7. Wait for the changes to deploy from the Console.
  8. Install the application from the Extension Management interface.

    Result
    The required application or content package is expected to complete the installation or update successfully. If you continue to experience application issues, contact QRadar Support for assistance.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.4.3;and future releases"}]

Document Information

Modified date:
25 April 2023

UID

ibm16980767

Page Feedback