Help
FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
aebadi
Staff
Staff

Created on ‎07-01-2024 08:09 AM Edited on ‎07-01-2024 10:15 AM By Moderator

Article Id 323554

Technical Tip: How to recreate an AES Key

Description This article describes how to recreate an AES Key and what conditions are required to do so.
Scope FortiSIEM.
Solution

FortiSIEM offers an Event Integrity Dashboard for SOC admins to validate Events on a Time basis which can be viewed from the Dashboard -> All Settings -> Database -> Event Integrity.

 

Event Integrity DashboardEvent Integrity Dashboard

 

In some instances, the Event Integrity Dashboard can be blank, or the system may show that Event Integrity is not being written to.

 

Examples of this kind of error:

  

2024-06-21T06:47:46.056174-04:00 SUPER phDataPurger[5837]: [PH_DATAINTEGRITY_SIGNER_ERROR]:[eventSeverity]=PHL_ERROR,[procName]=phDataPurger,[fileName]=phDataSignerVerifier.cpp,[lineNumber]=253,[errReason]=EVP_SignFinal failed,[phLogDetail]=Data integrity signing error

----

[PH_DATAINTEGRITY_PASSPHRASE_LOAD_ERROR]:[eventSeverity]=LM_ERROR,[procName]=unknown,[fileName]=phDataSignerVerifier.cpp,[lineNumber]=142,[errReason]=Could not load signing key,[phLogDetail]=Data integrity load passphrase error

[PH_GENERIC_CRITICAL]:[eventSeverity]=LM_CRITICAL,[procName]=unknown,[fileName]=phDataSignerVerifier.cpp,[lineNumber]=50,[phLogDetail]=Failed to load data signing key

----

"[PH_DATAMANAGER_FILE_SIGN_ERROR]:[eventSeverity]=LM_ERROR,[procName]=unknown,[fileName]=EventDBNotifier.cpp,[lineNumber]=247,[fileName]=/data/eventdb/CUSTOMER_1/incident/19077/457848-457871-168488714/seg-1-0-1-1648254219-1648254219/data/evtb-0-1-1648254219-1648254219.dat,[phLogDetail]=File signing error"

----

 

In these cases, it means that the AES License key has changed and it is necessary to recreate the AES Key.

 

Command for Versions 7.1.x -> 7.2.0:

  1. It is best practice to take a Snapshot before any change.
  2. Access the Super with SSH.
  3. Create a backup of the current key:

    cd /opt/phoenix/config
    mv ao-signing-key.pem ao-signing-key.pem.bak

  4. Create a new key:

    /opt/phoenix/phscripts/bin/phCreateSignKey

  5. Change owner:

    cd /opt/phoenix/config
    chown admin:admin /opt/phoenix/config/ao-signing-key.pem

  6. Restart the backend:

    phRestartBackend

 

Command for Versions older than 7.0:

  1. Access the Super with SSH.
  2. Back up /opt/phoenix/config/ao-signing-key.pem

    cp /opt/phoenix/config/ao-signing-key.pem /opt/phoenix/config/ao-signing-key.pem.bak

  3. Re-create the above signing key by running the following binary as an admin:

    su admin
    $/opt/phoenix/bin/phCreateSignKey

  4. Restart phDataManager and phDataPurger to take a new signing key.

    phtools --stop phDataPurger
    phtools --start phDataPurger

For more information and instructions on managing event Integrity, see this help article.
150
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.