IBM Support

QRadar: Configuration restore in 7.4.3 versions can fail when the backup cannot decrypt files (IJ37604)

Flashes (Alerts)


Abstract

IBM is notifying QRadar V7.4.3 administrators where a configuration restore cannot successfully be decrypted, leading to user interface issues. This technical note is intended to explain the error and raise visibility to administrators to the workaround file provided for APAR IJ37604.

Content

Technical note updates

  • 11 February 2022 1:30 PM EDT: Initial notice to administrators.

About

Administrators who restore a configuration backup to a QRadar Console that was reinstalled, rebuilt, or during a hardware migration can experience an error where the configuration restore file cannot be decrypted properly. When a configuration restore fails, a 'CryptoException: Failed to decrypt data' message displays in the logs and information required by services is not available during the restore process, leading to user interface issues.

This issue affects administrators attempting to complete the following actions:
  1. Restoring a V7.4.3 configuration file to a newly rebuilt or reinstalled Console.
  2. Restoring a V7.4.3 configuration file from an old Console to a new Console during a hardware migration.

The following message is displayed in /var/log/qradar.log when a configuration restore fails to decrypt: 
com.q1labs.frameworks.crypto.DecryptException: com.ibm.si.mks.CryptoException: Failed to decrypt data
[hostcontext.hostcontext] [pool-2-thread-1] at com.q1labs.frameworks.crypto.CryptoUtils.decrypt(CryptoUtils.java:56)
[hostcontext.hostcontext] [pool-2-thread-1] com.ibm.si.mks.CryptoException: Failed to decrypt data
[hostcontext.hostcontext] [pool-2-thread-1] at com.ibm.si.mks.KeyStoreCrypto.decrypt(KeyStoreCrypto.java:385)
[hostcontext.hostcontext] [pool-2-thread-1] at com.ibm.si.mks.Crypto.decrypt(Crypto.java:70)
[hostcontext.hostcontext] [pool-2-thread-1] at com.q1labs.frameworks.crypto.CryptoUtils.decrypt(CryptoUtils.java:53)
[hostcontext.hostcontext] [pool-2-thread-1] at javax.crypto.Cipher.a(Unknown Source)
[hostcontext.hostcontext] [pool-2-thread-1] at javax.crypto.Cipher.init(Unknown Source)
[hostcontext.hostcontext] [pool-2-thread-1] at javax.crypto.Cipher.init(Unknown Source)
[hostcontext.hostcontext] [pool-2-thread-1] at com.ibm.si.mks.KeyStoreCrypto.decrypt(KeyStoreCrypto.java:376)
java.io.IOException: Integrity check failed: java.security.UnrecoverableKeyException: Failed PKCS12 integrity checking
 

Urgency


Important: Administrators who experience an issue restoring a configuration backup file need to apply the provided support utility on their Console appliance and create a new configuration backup. If you are on an affected version and plan to rebuild, reinstall, or migrate your console, you must apply the ConfigRestore_IJ37604 utility and create a new 'On Demand' configuration backup before you decommission or reinstall your appliance. This technical note contains a support utility and procedures for administrators to follow before you attempt to restore a QRadar V7.4.3 configuration backup. Administrators can subscribe to APAR IJ37604 to be alerted to a software release that resolves this reported issue.

 

Affected products


 
  • QRadar 7.4.3 Fix Pack 4 (2020.11.4.20211113154131)
  • QRadar 7.4.3 Fix Pack 4 Interim Fix 2 (2020.11.4.20211113154131-IF02-20211217105419)
  • QRadar on Cloud 7.4.3 Fix Pack 3
    Note: Fixes described in this technical note are applied to QRadar on Cloud Consoles. No action is required by QRadar on Cloud administrators.

    Workaround


    Administrators can apply the ConfigRestore_IJ37604.sh utility on the QRadar Console, then create a new configuration backup from the Admin tab to resolve the decryption error. On-demand configuration backups can impact performance and administrators might need to wait until after core business hours before you create a new configuration backup.
    1. Download the support utility attached to this technical note to your local workstation: ConfigRestore_IJ37604.sh.
    2. Copy the file to the /storetmp directory on the QRadar Console.
    3. Using SSH, log in to the QRadar Console as the root user.
    4. Navigate to the /storetmp directory.
    5. To set permissions on the file, type: 
      chmod +x ConfigRestore_IJ37604.sh
    6. To run the utility, type: 
      sh ConfigRestore_IJ37604.sh
    7. If successful, the following output message is displayed: 
      Added line to groupings.xml
    8. Log in to the QRadar Console as an administrator.
    9. On the navigation menu ( Navigation menu icon ), click Admin.
    10. In the System Configuration section, click Backup and Recovery.
    11. From the toolbar, click On Demand Backup.
    12. Type a name and description for your backup file.
    13. Click Run Backup.
    14. Wait for the configuration backup to complete.

      Results
      If you need to restore a configuration backup to a Console that did not create the configuration backup file, you must run the ConfigRestore_IJ37604.sh utility on the destination Console. For more information, see +Restoring a V7.4.3 configuration to a rebuilt, reinstalled, or new Console.
     

    Restoring a V7.4.3 configuration to a rebuilt, reinstalled, or new Console

    Administrators must run the ConfigRestore_IJ37604.sh utility on the destination appliance before you restore a configuration backup created on another Console. This procedure is required if you are reinstalling your Console, support rebuilt your Console, or you are migrating to new hardware and need to restore a QRadar V7.4.3 configuration backup to new Console hardware.

    1. Copy ConfigRestore_IJ37604.sh to the new Console appliance or reinstalled appliance.
      For example, from your source Console appliance, type: scp ConfigRestore_IJ37604.sh root@<TargetIP_address>:/storetmp
    2. On the destination host, navigate to the /storetmp directory.
    3. To run the utility on the new Console or reinstalled Console appliance, type: 
      sh ConfigRestore_IJ37604.sh
    4. If successful, the following output message is displayed: 
      Added line to groupings.xml
    5. Log in to the QRadar Console as an administrator.
    6. On the navigation menu ( Navigation menu icon ), click Admin.
    7. In the System Configuration section, click Backup and Recovery.
    8. In the Upload Archive field, click Browse.
    9. Locate and select the archive file that you want to upload.
    10. Click Open.
    11. Click Upload.
    12. Select one of the following options to restore your backup configuration:
    Results
    Wait for the configuration restore to complete. After the configuration is restored to your system, ensure you can log in to the QRadar Console without user interface issues and confirm DSMs, rules, reference sets, and other information is successfully restored.

     

    If you require further assistance

    Administrators who experience issues with restoring a configuration backup on QRadar V7.4.3 or issues with the utility in the workaround can open a support case for further assistance. You must include the following information so we can quickly identify and respond to your issue.
    • Title: 7.4.3 Restore QR11737
    • Severity: 2
    • Requested files:
      1. A configuration backup from your QRadar V7.4.3 Console.
      2. Logs from your Console.
      Note: Configuration backups can be downloaded from the user interface or retrieved from /store/backup/ directory on the QRadar Console. Older log files are available in the /var/log/qradar.old directory on the Console. 

    We apologize for any inconvenience due to this issue. If you have questions about the contents of this technical note, contact QRadar Support.

    - QRadar Support

    [{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.4.3"}]

    Document Information

    Modified date:
    11 February 2022

    UID

    ibm16554538

    Page Feedback