Storage requirements

The integration capabilities in IBM Security QRadar® Suite Software use persistent storage to provide reliable and resilient storage of state data. The cluster administrator must provide appropriate storage classes that meet the requirements of the respective Red Hat® OpenShift® environment.

To install QRadar Suite Software, you must configure a suitable storage class in the cluster. The configuration must be supported by one or more persistent volumes of suitable size.

Persistence is enabled by default in QRadar Suite Software. You must have physical volumes available, backed up by a suitable file system.

By definition, block storage implies RWO (ReadWriteOnce) access mode and does not support RWX (ReadWriteMany) or ROX (ReadOnlyMany). Block storage provides the best performance for storage, but it forces RWO access mode in the node.

Suggested storage providers

For Linux® on x86 hardware, the following storage providers are validated across all the capabilities of QRadar Suite Software:

IBM Cloud® Block Storage and IBM Cloud File Storage
IBM Storage Fusion 2.4.0 or later
IBM® Storage Suite for IBM Cloud Paks. This suite of offerings includes the following validated storage options:
- IBM Storage Scale Container Native CSI 2.6 or later
- Red Hat Ceph® Storage
- Red Hat OpenShift Data Foundation (ODF) 4.2 or later with the block or file storage type
Portworx Storage, version 2.5.5 or later
Red Hat OpenShift Data Foundation (ODF) 4.2 or later with the block or file storage type

For more information about these options, see the IBM Storage Suite for IBM Cloud Paks documentation.

Important:

If you are using VMWare vSphere and ODF, the CPU and RAM requirements must be incremented in line with the resource requirements in the IBM Storage Suite for IBM Cloud Paks documentation.
If you are using VMWare clusters that are hosted on multiple ESXi hosts, your storage must be shared between those hosts.
The IBM Storage Suite components are not supported by the QRadar Suite Software support team. You must ensure that you have an appropriate support arrangement with the storage provider for these components.
To provide protection for data at rest, use volume encryption for your chosen storage.

Network File Storage (NFS)

If you plan to use NFS for persistent storage, you must set up your NFS before you install QRadar Suite Software. Use an enterprise class storage system that ensures availability with a sufficiently high throughput and reduced latency, such as:

Dell EMC Powerscale
IBM Spectrum® Scale
NetApp Trident

Use an NFS server that is close to your cluster. When I/O performance is not sufficient, services can experience poor performance or cluster instability such as functional failures with timeouts, especially when you are running a heavy workload. Ensure that the following conditions are met on all of the QRadar Suite Software nodes in your Red Hat OpenShift Container Platform cluster.

All of the nodes in the cluster have access to mount the NFS server.
All of the nodes in the cluster have read/write access to the NFS server.
Containerized processes have read/write access to the NFS server.

Important: It is your responsibility to secure your NFS storage. You can use NFS in production or nonproduction environments. It is best to use a separate NFS server for each environment.

You must set up dynamic storage provisioning on your NFS server. NFS does not support dynamic storage provisioning by default, and Red Hat OpenShift does not include a provisioner plug-in to create an NFS storage class.

You must export the NFS share to all the NFS clients. The following options are required to export the NFS share to all the NFS clients.

rw
sync
no_root_squash
no_subtree_check

The following NFS configuration requirements are the minimum requirements for optimal performance.

200 input/output operations per second (IOPS)
10 IOPS per GB

For more information about setting up your Red Hat OpenShift Container Platform clusters with persistent storage by using NFS, see Kubernetes NFS Subdir External Provisioner.

Validated storage options

For each of the cloud environment providers that are supported by QRadar Suite Software, the validated storage options are detailed in the following tables.

Table 1. Validated block storage options
Provider	Storage class	Storage type	Access mode	Storage provider	Suggested reclaim policy	Min. IOPS	Encryption supported on the storage class
Amazon Web Services (AWS)	gp2, gp2-csi, gp3, gp3-csi, ocs-storagecluster-ceph-rbd	Block	RWO	AWS	Retain	10 IOPS/GB	Yes
Google Cloud Platform	csi-gce-pd-ssd	Block	RWO	Google Cloud Platform	Retain	10 IOPS/GB	Yes
IBM Cloud (Classic)	ibmc-block-gold	Block	RWO	IBM Cloud	Retain	10 IOPS/GB	Yes
IBM Cloud (VPC2)	ibmc-vpc-block-10iops-tier, portworx-shared-sc	Block	RWO	IBM Cloud	Retain	10 IOPS/GB	Yes
IBM Storage Fusion or IBM Storage Scale Container Native	ibm-spectrum-scale-sc	Block	RWO	IBM Storage	Retain	10 IOPS/GB	Yes
Microsoft Azure	managed-premium	Block	RWO	Azure Disk	Retain	10 IOPS/GB	Yes
VMware	ocs-storagecluster-ceph-rbd, vsphere-storage-blockvsphere-volume(thin)	Block	RWO	ODF 4.7, VSphere Volume	Retain	10 IOPS/GB	Yes

Table 2. Validated file storage options
Provider	Storage class	Storage type	Access mode	Storage provider	Suggested reclaim policy	Min. IOPS	Encryption supported on the storage class
Amazon Web Services (AWS)	ocs-storagecluster-cephfs	File	RWO	AWS	Retain	10 IOPS/GB	Yes
Google Cloud Platform	csi-gce-pd-ssd	File	RWO	Google Cloud Platform	Retain	10 IOPS/GB	Yes
IBM Cloud	ibmc-file-gold-gid, portworx-fs	File	RWO	IBM Cloud	Retain	10 IOPS/GB	Yes
IBM Storage Fusion or IBM Storage Scale Container Native	ibm-spectrum-scale-sc	File	RWO	IBM Storage	Retain	10 IOPS/GB	Yes
Network File Storage	nfs-client	File	RWO	Dell EMC Powerscale IBM Spectrum Scale NetApp Trident	Retain	10 IOPS/GB	Yes

Tip: IBM Cloud ROKS supports the following gid storage classes:

ibmc-file-bronze-gid
ibmc-file-silver-gid
ibmc-file-gold-gid

Ensure that the minimum IOPS for the storage class meets or exceeds the minimum IOPS for QRadar Suite Software. For more information about gold, silver, and bronze storage, see Storage class reference.

1:1 mapping exists between deployment replicas and the underlying Persistent Volume Claims (PVCs). For example, a CouchDB deployment that has three replicas has three underlying PVCs.

For more information about Kubernetes persistent volumes, see Persistent Volumes.

Data encryption

You can encrypt your disks yourself if they are not encrypted by default. If you use Linux Unified Key Setup-on-disk-format (LUKS) for this purpose, enable LUKS and format the disks with the XFS file system before you install QRadar Suite Software.

For data encryption at rest on Portworx, AWS, and IBM Cloud File Storage, the following options are suggested.

AWS: When you install Red Hat OpenShift in AWS, the gp2 storage class is created by default. By default this storage class uses the encryption key set within the EBS encryption for the entire AWS Account. Contact your AWS administrator to determine which KMS key was used to encrypt the Red Hat OpenShift nodes, and obtain the full ARN of the key. To use a different encryption key, create a new custom storage class for use with QRadar Suite Software to ensure that the chosen encryption key is used when the persistent volumes are encrypted. For more information, see the AWS Elastic Block Store (EBS) object definition section of Post-installation storage configuration .
IBM Cloud File Storage: For more information, see Setting up encryption for Block Storage for VPC.
Portworx enterprise: For more information, see IBM Cloud in the Portworx documentation.

Other options, such as NFS, are not supported.

Retrieving the default block storage class in your environment

You must set only one default storage class in the Red Hat OpenShift environment.

Confirm the default storage class by typing the following command.
```
oc get storageclass | grep default
```

If you have more than one default storage class set, unset one of the storage classes by typing the following command.

oc patch storageclass <storage_class> -p '{"metadata": {"annotations": {"storageclass.kubernetes.io/is-default-class": "false"}}}'

When you update the values.conf file to install QRadar Suite Software, set the default storage class as the value for the storageClass parameter.

IBM Cloud environment storage

In an IBM Cloud environment, the minimal PVC size that is enforced is 20 GB for the standard ibmc-block-gold storage class. For more information, see IBM Cloud documentation.

In IBM Cloud environments, QRadar Suite Software requires one or more persistent volumes of suitable size, as shown in the following table.

Table 3. Suggested storage for IBM Cloud
Storage capability	Access mode	Deployment replicas x storage per replica	Suggested storage
Backup and Restore	RWO	1x500 GB	500 GB*
CouchDB	RWO	3x60 GB	180 GB
OpenSearch	RWO	3x20 GB	60 GB
etcd	RWO	3x20 GB	60 GB
Noobaa	RWO	3x20 GB	60 GB
Postgres	RWO	2x220 GB (default), 2x220 GB (Case Management), 2x250 GB (Data Explorer UDI)	1.38 TB
RabbitMQ	RWO	3x20 GB	60 GB

Tip: For the Backup and Restore pod, instead of using the defaults that are specified in the table, you can provision your own storage. For more information, see Creating the backup and restore PVC.

Unmanaged Red Hat OpenShift environment storage

In a Red Hat OpenShift Container Platform environment where you do not have a managed cluster from a cloud provider, QRadar Suite Software requires one or more persistent volumes of suitable size, as shown in the following table.

Table 4. Suggested storage for unmanaged Red Hat OpenShift environments
Storage capability	Access mode	Deployment replicas x storage required per replica	Suggested storage
Backup and Restore	RWO	1x500 GB	500 GB
CouchDB	RWO	3x60 GB	180 GB
OpenSearch	RWO	3x20 GB	60 GB
etcd	RWO	3x10 GB	30 GB
Noobaa	RWO	3x20 GB	60 GB
Postgres	RWO	2x220 GB (default), 2x220 GB (Case Management), 2x250 GB (Data Explorer UDI)	1.38 TB
RabbitMQ	RWO	3x20 GB	60 GB

Tip: For the Backup and Restore pod, instead of using the defaults that are specified in the table, you can provision your own storage. For more information, see Creating the backup and restore PVC.