Domain name and TLS certificates

Edit online

Provide a TLS certificate for your IBM® Security QRadar® EDR Fully Qualified Domain Name (FQDN).

The TLS certificate can be one of the following types:

  • A certificate for a specific FQDN; for example, my.example.com
  • A wildcard certificate; for example, *.example.com or *.apps.example.com
    Tip: The wildcard character must be at the same level as your QRadar EDR. For example, if your QRadar EDR is at qradaredr.apps.example.com, your wildcard certificate must be for *.apps.example.com.

Domain name requirements

When QRadar EDR is installed, the FQDN of the Red Hat® OpenShift® Container Platform cluster is used with the TLS certificate for the platform FQDN.

You can choose to create a unique FQDN for QRadar EDR if you don't want to use the Red Hat OpenShift Container Platform cluster FQDN.

To create a unique FQDN, ensure that a Domain Name System (DNS) server is configured and available with one of the following record types:

  • A record that points to the IP address of the cluster.
  • A CNAME record that points to the Red Hat OpenShift Container Platform cluster hostname.

To verify that the FQDN that you created is resolving correctly to provide your cluster hostname or IP address, you can use a tool such as https://dnschecker.org/, or the dig command.

To use the dig command to check that the FQDN that you created is resolving correctly, type the following command where <FQDN> is the FQDN that you created. Look for the FQDN in the answer section of the output.

dig <FQDN>

Certificate requirements

The TLS certificates must adhere to the following requirements:

  • The TLS certificate must be from a trusted CA for your production systems.
  • The TLS certificate must be an RSA certificate with a minimum of 2048 bits, or a P-256 ECDSA certificate no greater than 256 bits with PKCS1 encoding.
    Important:

    If you need to support QRadar EDR agents that run on any of the following older versions of the Microsoft Windows operating system, then your TLS certificate must be Elliptic Curve Cryptography (ECC) configured with curve prime256v1 /P-256. For more informations, see NIST definition of Elliptic Curve Cryptography.

    • Windows client 7
    • Windows server 2008 R2 (SP2)
    • Windows server 2012 R2
    If ECC certificates are not configured, the following error messages are typically seen in the log file that is located in the %TEMP% folder in C:\Users\<Username>\AppData\Local\Temp.
    Response: SSL Error: WINHTTP_CALLBACK_STATUS_FLAG_SECURITY_CHANNEL_ERROR internal error.
Exception: Backend communication problem: SSL Error: 
WINHTTP_CALLBACK_STATUS_FLAG_SECURITY_CHANNEL_ERROR internal error.
  • The TLS certificate must match the QRadar EDR domain and must specify the domain in the Subject Alternative Name (subjectAltName field).
  • The TLS certificate and certificate authorities (CAs) must use a hash algorithm from the SHA-2 family.
  • The TLS certificate must have a timespan that does not exceed 398 days.
  • The TLS server certificate must contain an ExtendedKeyUsage (EKU) extension that contains the id-kp-serverAuth object identifier (OID).

If you use your own root CA for internal systems, it can have a time span that exceeds 398 days. This method can be useful for nonproduction environments. However, any system that is connected to the internet generates warnings if the server certificate is not issued by a well-known root authority that browsers recognize by default.

Important: QRadar EDR does not support a password for the certificate key.

Certificate replacement

If you need to replace the TLS certificate that you are using for QRadar EDR and it is not the same certificate that you are using for your Red Hat OpenShift Container Platform cluster, see Updating your QRadar EDR TLS certificates.

If you need to replace the TLS certificate that you are using for QRadar EDR and it is the same certificate that you are using for your Red Hat OpenShift Container Platform cluster, see Synchronizing QRadar EDR Certificates with the cluster certificate.

Creating your own CA and generating a TLS certificate with OpenSSL

Edit online

For installation, QRadar EDR requires a server private key and server certificate that use keys that are signed by a certificate authority (CA).

Before you begin

Important: Do not use this method for production systems. Always use a TLS certificate from a trusted CA for your production systems.

An extra authority certificate is required if the provided server keys are signed by a nontrusted authority.

Procedure

  1. Generate a signing CA certificate.
    1. Create the SUBJ environment variable by typing the following command, where <CA_subject> is the name of the CA for which the certificate is generated.
      export SUBJ="<CA_subject>"
    2. Create the openssl.cfg file by typing the following command, where <common_name> is the FQDN. If the FQDN exceeds 64 characters, give it a meaningful name, such as the first part of your domain name.
      cat <<EOF > openssl.cfg
[ req ]
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
commonName = <common_name>
commonName_max = 64
[ v3_ca ]
basicConstraints = critical,CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
EOF
    3. Generate the CA key by typing the following command.
      openssl genrsa -out ca.key 4096
    4. Generate the CA certificate by typing the following command.
      openssl req -x509 -new -nodes -key ca.key -sha256 -days 825 \
     -config openssl.cfg -extensions v3_ca \
     -subj "$SUBJ" -out ca.crt
    The ca.key and ca.crt files are generated, containing the key and certificate for the CA.
  2. Create the OpenSSL configuration.
    1. Create the DOMAIN environment variable by typing the following command.
      export DOMAIN="<FQDN>"
    2. Create the COMMONNAME environment variable by typing one of the following commands.

      If your domain name is fewer than 64 characters, type the following command.

      export COMMONNAME=$DOMAIN

      If your domain name is greater than 64 characters, type the following command.

      export COMMONNAME=<common_name>
    3. Create the OpenSSL configuration by typing the following command.
      cat > openssl.cfg <<EOF
[req]
req_extensions = req_ext
x509_extensions = usr_cert
distinguished_name = req_name
[ req_name ]
commonName = $COMMONNAME
[ usr_cert ]
basicConstraints=CA:FALSE
nsCertType = server
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectKeyIdentifier = hash 
authorityKeyIdentifier = keyid,issuer
subjectAltName = DNS:$DOMAIN
[ req_ext ]
subjectAltName = DNS:$DOMAIN
EOF
  3. Generate the certificate.
    1. Create the subj environment variable by typing the following command.
      export subj="/CN=$COMMONNAME"
    2. If you're installing QRadar EDR agents on older versions of the Windows operating system as listed in the certificate requirements, generate the TLS key by typing the following command.
      openssl ecparam -name prime256v1 -genkey -noout -out tls.key -outform PEM

openssl req -new -sha256 -key tls.key -out tls.csr -subj "$subj" -config openssl.cfg
      Otherwise, generate the TLS key by typing the following command.
      openssl req -nodes -newkey rsa:2048 -keyout tls.key -outform PEM \
   -out tls.csr -subj "$subj" -config openssl.cfg
    3. Generate the TLS certificate in a temporary file by typing the following command.
      openssl x509 -req -sha256 -in tls.csr \
   -out tls.crt.tmp \
   -CA ca.crt -CAkey ca.key \
   -CAcreateserial -CAserial ca.serial \
   -days 398 -extensions usr_cert -extfile openssl.cfg
    4. Concatenate the TLS certificate and CA certificate into a single file by typing the following command.
      cat tls.crt.tmp ca.crt > tls.crt
    The tls.key and tls.crt files are generated, containing the server key and certificate for the domain. The following certificates and key are generated and map to the following installation parameters: domainCertificatePath, domainCertificateKeyPath, customCaFilePath.

TLS Certificate parameters for installation

Edit online

Use the TLS certificate information to complete the appropriate parameter values during installation.

Parameter Description
domainCertificatePath The path of the TLS certificate associated with the QRadar EDR domain.
domainCertificateKeyPath The path of the TLS key associated with the QRadar EDR domain.
customCaFilePath The path of the custom TLS certificate associated with the QRadar EDR domain.
For more information, see the following installation topics.