Configuring access to the inbound destinations

New in 5.0 Before you configure the IBM® QRadar® SOAR Plug-in 5.0 app, you must copy the SOAR CA certificates to the QRadar Console to allow access to the SOAR inbound destinations.

Before you begin

If you connect to an IBM Security SOAR for IBM Cloud Pak® for Security (CP4S) instance, ensure that DNS mapping for the IP address that is associated with the CP4S cluster and its domain name is configured. Provide this information for both the QRadar Console and the QRadar SOAR Plug-in container. You must provide the IP address and hostnames of the CP4S cluster, and the cases-rest, cases-stomp, and cases-openwire endpoints.

Procedure

  1. To configure CA certificates for IBM Security SOAR Platform, follow these steps:
    1. Using SSH, log in to the QRadar Console as the root user.
    2. Type the following command to change directories. 
      cd /opt/qradar/conf/trusted_certificates
    3. Install the SOAR certificate by typing this command: 
      /opt/qradar/bin/getcert.sh <IP_or_Hostname_of_SOAR> <Port_of_the_SOAR_incoming_queue>

      For example, the command might look similar to this one, /opt/qradar/bin/getcert.sh mysoar.ibm.com 65000.

    4. Restart the QRadar event collection service by typing this command: 
      systemctl restart ecs-ep
  2. To configure CA certificates for a SOAR for IBM Cloud Pak for Security instance, follow these steps:
    1. Open the Red Hat OpenShift Container Platform console for the cluster where CP4S installed.
    2. In the navigation page, select Networking > Routes.
    3. Select Project: All Projects and search for cases-openwire.
    4. Click the cases-openwire route to open the Route details window.
    5. Under TLS settings, copy the value in the Certificate field and save it to a .crt file.

      For example, you can name the .crt file similar to this one: <hostname>_cases_openwire_ca.crt.

      Note:

      If the Certificate value is empty, find the certificate value in the Workloads settings.

      1. In the navigation window, select Workloads > Secrets.
      2. Search for isc-cases-openwire-default-cert or isc-cases-stomp-default-cert.

        The certificate content is in the Data section.

    6. Copy the .crt file to the /opt/qradar/conf/trusted_certificates location on the QRadar Console.
    7. Restart the QRadar event collection service by typing this command: 
      systemctl restart ecs-ep

What to do next

After you configure access to the inbound destinations, create an authorized service token to authenticate the API calls that are made by SOAR.