IBM Support

QRadar: Log source using Log File SFTP protocol and SSH Key File shows error "invalid privatekey"

Troubleshooting


Problem

The following error is seen on a Log File SFTP protocol log source configured with SSH Key File:
Error: invalid private key: [B@19fa1e96

Symptom

  • The log source status is Error.
  • When the Test tool runs on the Log Source Management app, this error message appears: 
    Testing DNS resolution of [xxxxxx] - Passed
- Successfully resolved [xxxxxx] to IP [x.x.x.x]

Testing TCP connection to [xxxxxx:22] - Passed
- Attempting TCP connection to [xxxxxx:22] with a timeout of 10000 ms
- Successful TCP connection to [xxxxxx:22]

Testing [SFTP] connection to [xxxxxx:22] - Failed
- Using SSH key authenticating as <user>.
- Connecting to 'xxxxxx' on port 22...
- Error: invalid privatekey: [B@19fa1e96

Validating remote directory [/folder] - Cancelled
Validating file pattern [.*] - Cancelled
Events (0):

- Error: One or more tests have failed - cancelling sample event collection
  • The following error is logged in /var/log/qradar.error: 
    Sep 13 16:10:44 <...> com.q1labs.semsources.sources.remote.testing.sftp.SFTPConnectionSubtester: 
[ERROR] com.jcraft.jsch.JSchException: invalid privatekey: [B@4f3bcaa2

Cause

The error happens because QRadar uses the Java Secure Channel library (JSch).
The new versions of OpenSSH (7.8 and newer) generate keys in new OpenSSH formats by default, which are not supported by JSch.
The new OpenSSH key format starts with:
-----BEGIN OPENSSH PRIVATE KEY-----

Resolving The Problem

To resolve the issue, you need to change the key format from OPENSSH to RSA:
  1. SSH to the QRadar console.
  2. Move to the folder where you put the key for this log source configuration. 
    cd /opt/qradar/conf/keys/
  3. Take a backup of the original certificate file. 
    cp -p <key_file> /storetmp/ibm_support/certbackup
    Note: If the backup location does not exist, create directory structure.
  4. Change the key format by running the following command.  
    ssh-keygen -p -f <key_file> -m pem -P "" -N ""
    Note: Replace <key_file> with the actual key name.
  5. Update the key path field for log source configuration in the Log Source Management app with the new .pem key name.

    Result:
    The Log File SFTP log source is able to collect the logs without any error.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"TS014169196","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
29 May 2024

UID

ibm17035593

Page Feedback