Installing a QRadar appliance

Install a IBM® QRadar® Console or a managed host on a QRadar appliance or on your own appliance that is FIPS enabled.

Software versions for all QRadar appliances in a deployment must be same version and fix level. Deployments that use different versions of software are not supported.

Before you begin

Ensure that the following requirements are met:

  • The correct hardware is installed.
  • Create a bootable USB flash drive with Red Hat Linux. For more information, see Creating a bootable USB drive with Red Hat Linux®.
  • Install QRadar with a USB flash drive. For more information, see Installing QRadar with a USB drive.
  • You have the required license key for your appliance.
  • A keyboard and monitor are connected by using the VGA connection.
  • If you want to configure bonded network interfaces, see Configuring bonded management interfaces.
  • If you are installing QRadar on a Unified Extensible Firmware Interface (UEFI) system, secure boot must be disabled.
  • QRadar 7.5.0 Update Package 2 and later, can be installed using Appliance Install on an Unified Extensible Firmware Interface (UEFI) system with Secure Boot enabled or disabled. If Secure Boot is enabled, QRadar does not function properly until you enroll the public key and reboot the system. If Secure Boot is disabled, you can install the public key if you plan to use Secure Boot in the future. For more information, see Enabling secure boot.
FIPS installation only
Attention: To install an appliance with FIPS enabled, add qradar.fips=1 to the vmlinuz.

Procedure

  1. FIPS installation only On the Red Hat Enterprise Linux 7.9 installation page, press Tab to edit the vmlinuz line.
  2. FIPS installation only Add qradar.fips=1 to the vmlinuz line and press Enter.
    The result might look similar to this example: 
    vmlinuz initrd=initrd.img inst.stage2=hd:LABEl=QRadar-2020_11_0_20201210153453 quiet inst.text inst.gpt inst.ks=hd:LABEL=QRadar-2020_11_0_20201210153452console=ttyS0,9600 console=tty1 qradar.fips=1
  3. Type root at the login prompt to start the installation wizard. Type password if you are prompted for a password.
  4. Accept the End-User license Agreement.
  5. Select the appliance type:
    • Appliance Install
    • High Availability Appliance
  6. If you selected High Availability Appliance, complete the following steps:
    1. Select HA appliance (All models) 500 as the function.
    2. Select whether the high-availability (HA) appliance is a standby for a console or nonconsole appliance.
    3. Select Next.
  7. If you did not choose High Availability Appliance, select the appliance assignment, and then select Next.
  8. For the type of setup, select Normal Setup (default) or HA Recovery Setup, and set up the time.
  9. If you selected HA Recovery Setup, enter the cluster virtual IP address.
  10. Select the Internet Protocol version:
    • ipv4
    • ipv6
      If you selected ipv6, select manual or auto for the Configuration type.
      manual
      You must use a static IP address with a CIDR range.
      auto
      A static IP address with a CIDR range is generated with the Neighbor Discovery Protocol.
  11. If required, select the bonded interface setup.
  12. Select the management interface.
  13. In the wizard, enter a fully qualified domain name in the Hostname field.
    Important: The hostname must not contain only numbers.
  14. In the IP address field, enter a static IP address, or use the assigned IP address.
  15. If you do not have an email server, enter localhost in the Email server name field.
  16. Enter a root password that meets the following criteria:
    • Contains at least 5 characters
    • Contains no spaces
    • Can include the following special characters: @, #, ^, and *.
  17. If you are installing a Console, enter an admin password that meets the following criteria:
    • Contains at least 8 characters
    • Contains at least one uppercase character
    • Contains at least one lowercase character
    • Contains at least one digit
    • Contains at least one special character: @, #, ^, or *
  18. Click Finish.
  19. Follow the instructions in the installation wizard to complete the installation.

    The installation process might take several minutes.

  20. If you are installing a Console, apply your license key.
    1. Log in to QRadar as the admin user:

      https://<IP_Address_QRadar>

    2. Click Login.
    3. On the navigation menu ( Navigation menu icon ), click Admin.
    4. In the navigation window, click System Configuration > System and license Management.
    5. From the Display list box, select Licenses, and upload your license key.
    6. Select the unallocated license and click Allocate System to license.
    7. From the list of systems, select a system, and click Allocate System to License.
  21. If you want to add managed hosts, see Adding a managed host in the IBM QRadar Administration Guide.
  22. FIPS installation only Verify that FIPS mode is enabled by typing the following command.
    /opt/qradar/bin/myver -fips
    The output is 'true' on a FIPS mode enabled system and 'false' when FIPS mode is not enabled.

    If the result is false, try to reinstall with FIPS mode enabled.

What to do next

  1. FIPS installation only Migrate to Docker-EE. For more information, see Migrating to Docker Enterprise Edition with FIPS.
  2. FIPS installation only Update the cryptographic modules. For more information, see Updating cryptographic modules for FIPS.

  3. Installing the QRadar Log Source Management app (https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.lsmapp.doc/c_Qapps_LSM_intro.HTML).