How to recreate AES Key

This article describes how to recreate an AES Key and what conditions are required to do so.

Table of Contents

Scope
Solution
Command for Versions 7.1.x -> 7.2.0
Command for Versions older than 7.0

Scope

FortiSIEM.

Solution

FortiSIEM offers an Event Integrity Dashboard for SOC admins to validate Events on a Time basis which can be viewed from the Dashboard > All Settings > Database > Event Integrity.

Event Integrity Dashboard

In some instances, the Event Integrity Dashboard can be blank, or the system may show that Event Integrity is not being written to.

Examples of this kind of error:

2024-06-21T06:47:46.056174-04:00 SUPER phDataPurger[5837]: [PH_DATAINTEGRITY_SIGNER_ERROR]:[eventSeverity]=PHL_ERROR,[procName]=phDataPurger,[fileName]=phDataSignerVerifier.cpp,[lineNumber]=253,[errReason]=EVP_SignFinal failed,[phLogDetail]=Data integrity signing error

----

[PH_DATAINTEGRITY_PASSPHRASE_LOAD_ERROR]:[eventSeverity]=LM_ERROR,[procName]=unknown,[fileName]=phDataSignerVerifier.cpp,[lineNumber]=142,[errReason]=Could not load signing key,[phLogDetail]=Data integrity load passphrase error

[PH_GENERIC_CRITICAL]:[eventSeverity]=LM_CRITICAL,[procName]=unknown,[fileName]=phDataSignerVerifier.cpp,[lineNumber]=50,[phLogDetail]=Failed to load data signing key

----

"[PH_DATAMANAGER_FILE_SIGN_ERROR]:[eventSeverity]=LM_ERROR,[procName]=unknown,[fileName]=EventDBNotifier.cpp,[lineNumber]=247,[fileName]=/data/eventdb/CUSTOMER_1/incident/19077/457848-457871-168488714/seg-1-0-1-1648254219-1648254219/data/evtb-0-1-1648254219-1648254219.dat,[phLogDetail]=File signing error"

----

In these cases, it means that the AES License key has changed and it is necessary to recreate the AES Key.

Command for Versions 7.1.x -> 7.2.0

Step 1: It is best practice to take a Snapshot before any change.

Step 2: Access the Super with SSH.

Step 3: Create a backup of the current key:

cd /opt/phoenix/config
mv ao-signing-key.pem ao-signing-key.pem.bak

Step 4: Create a new key:

/opt/phoenix/phscripts/bin/phCreateSignKey

Step 5: Change owner:

cd /opt/phoenix/config
chown admin:admin /opt/phoenix/config/ao-signing-key.pem

Step 6: Restart the backend:

phRestartBackend

Command for Versions older than 7.0

Step 1: Access the Super with SSH.

Step 2: Back up /opt/phoenix/config/ao-signing-key.pem

cp /opt/phoenix/config/ao-signing-key.pem /opt/phoenix/config/ao-signing-key.pem.bak

Step 3: Re-create the above signing key by running the following binary as an admin:

su admin
$/opt/phoenix/bin/phCreateSignKey

Step 4: Restart phDataManager and phDataPurger to take a new signing key.

phtools --stop phDataPurger
phtools --start phDataPurger