IBM Support

QRadar Data Gateway: How to recover a private keystore file when accidentally deleted

How To


Summary

This article explains the steps to recover a private keystore file if there is an accidental deletion or regeneration of the default TLS Syslog certificate or private key files.

Steps

Perform the following steps to extract the key and certificates:

  1. Use SSH to log in to the Data Gateway appliance as the root user.
  2. Log in using SSH on to the managed host, on which the files (syslog-tls.cert or syslog-tls.key) are deleted from the default folder /opt/qradar/conf/trusted_certificates.
  3. To list the existing certificates and keys on the keystore, use the following command:
    keytool -list -v -keystore /opt/qradar/conf/syslog-tls.keystore -storepass syslog-tls
  4. To convert the Java keystore in to p12 (pkcs) format, type the following command. Use the same password.
    keytool -importkeystore -srckeystore /opt/qradar/conf/syslog-tls.keystore -storepass syslog-tls -srcalias syslog-tls -destkeystore syslog-tls.p12 -deststoretype PKCS12 -deststorepass syslog-tls -destkeypass syslog-tls
  5. Extract the private key from the p12 keystore.
    openssl pkcs12 -in syslog-tls.p12 -nodes -nocerts -out syslog-tls.key
    (If the command prompts for the keystore password, type syslog-tls)
  6. Extract the certificate from the p12 keystore.
    openssl pkcs12 -in syslog-tls.p12 -nokeys -out syslog-tls.cert

Results

The private keystore file is regenerated. Once the files are recreated, they can be copied to the destination folder: /opt/qradar/conf/trusted_certificates

Alternatively, it is also possible to regenerate the certificate and key files and to import them into the Java keystore by using available scripts on the QRadar host. 

Important: Do not use the following command without a option (in this case -h) as it regenerates the certificate and key.

/opt/qradar/bin/syslog_tls_gen_cert.sh -h
/opt/qradar/bin/syslog_tls_import_cert.sh -h

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSV4BL","label":"IBM QRadar"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
26 May 2023

UID

ibm16989095