IBM Support

QRadar: Insights into the High CPU Usage with "java -jar /opt/qradar/jars/ibm-si-mks.jar decrypt_command_line"

Question & Answer


Question

What is the role of the java -jar /opt/qradar/jars/ibm-si-mks.jar decrypt_command_line process in the system, and why does it consistently utilize significant CPU resources?

Cause

Upon executing the top command on the system, one might notice that several processes consuming the highest CPU resources are associated with the process java -jar /opt/qradar/jars/ibm-si-mks.jar decrypt_command_line. This unexpected behavior raises concerns about the purpose of these processes, their functionality, and the underlying reasons for their high CPU utilization. Understanding these aspects is critical to diagnosing the issue and mitigating its impact on system performance.
Sample output of top command reflecting processes with High CPU consumption

Answer

When the top command shows that processes with the command java -jar /opt/qradar/jars/ibm-si-mks.jar decrypt_command_line are associated with high CPU usage, it indicates that these instances of the Master Key Service (MKS) are actively performing decryption tasks. There could be several reasons behind the same that one could take a look at:

  1. Frequent decryption requestsQRadar may be handling a large volume of encrypted data, such as log sources, credentials, or configuration updates, requiring frequent decryption. This could be related to scheduled tasks, integration with external data sources, or ongoing operations requiring decrypted values.

  2. Configuration Issues: Misconfigurations in QRadar (e.g., circular dependencies or incorrect settings in log source encryption) can lead to repeated or redundant decryption operations.

  3. Resource Bottlenecks: High CPU usage might result from a system that is under-resourced relative to the workload. Insufficient CPU cores or memory may amplify the impact of resource-intensive processes like decryption.

  4. Unoptimized Processes: The decryption process might involve poorly optimized or legacy code, leading to higher CPU consumption than necessary.

    By systematically analyzing the trigger instances and system behavior, one can identify the root cause and reduce the CPU utilization associated with these processes.

[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSV4BL","label":"IBM QRadar"},"ARM Category":[{"code":"a8m0z000000cwtiAAA","label":"Performance"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
21 July 2025

UID

ibm17179556

Page Feedback