Hello Josef,
It has been known for the app_keystore_cert_validator.sh script to be unreliable sometimes so can you try to re-generate the docker-client-registry.p12 and monitor the alerts to see if you still get the false positives? To reset the key please run the following command on your console:-
# /opt/qradar/bin/runjava.sh com.ibm.si.application.commandline.KeyStoreGenerator -c /etc/docker/tls/registry/docker-client-registry.cert -k /etc/docker/tls/registry/docker-client-registry.key -s /etc/docker/tls/registry/docker-client-registry.p12
To confirm the key has been reset successfully please check the date stamp on the file docker-client-registry.p12 using ls -lrt /etc/docker/tls/registry. In this example the key was reset 4/12 09:16.
# ls -lrt /etc/docker/tls/registry
total 24
-rw------- 1 root root 1704 Sep 12 09:02 docker-client-registry.key
-rw------- 1 root root 1054 Sep 12 09:02 docker-client-registry.csr
-rw-r--r-- 1 root root 1887 Dec 4 09:16 docker-client-registry.cert
-rw-r--r-- 1 root root 7538 Dec 4 09:16 docker-distribution_ca.crt
-rw-r--r-- 1 root root 3002 Dec 4 09:16 docker-client-registry.p12
Regards
Phil Jones (Qradar App Support)
------------------------------
Philip Jones
------------------------------
Original Message:
Sent: Tue November 26, 2024 05:42 AM
From: Josef Hradecny
Subject: Failed to generate keystore docker-client-registry.p12 false positive warnings 7.5.0.3
Hello.
In a customers QRadar 7.5.0 UP3 environment we're getting warning "Failed to generate keystore docker-client-registry.p12" from time to time. Turned out that the certs are all valid as confirmed by app_keystore_cert_validator.sh. False positive warnings should be resolved in upgrade to newer version. Client wants to suppress it in deployed version.
Is there a way to suppress this behavior on 7.5.0 UP3?
Thank you
Josef
------------------------------
Josef Hradecny
------------------------------