By default, IBM®
QRadar® is configured with a Security Sockets Layer (SSL) certificate that is signed by an internal CA.
When you log in to the Console for the first time, you are prompted with a warning message that your
connection is not secure or is not private. You can replace the SSL certificate with your own
self-signed certificate, a private certificate authority (CA) signed certificate, or a public CA
signed certificate.
Before you begin
You must have the following information:
If you use a DER formatted certificate, you must convert it to a PEM formatted certificate by
typing the following command:
openssl x509 -in <cert>.der -inform der -outform pem -out <cert>.pem
Tip: If you are deploying
QRadar 7.4.3 or later, you do
not need to edit the
/opt/qradar/ca/conf.d/httpd.json file. Go to step
2.
Procedure
- If you are installing a certificate that was not generated by QRadar or reinstalling an
overwritten certificate that was not generated by QRadar, disable the CA
framework from monitoring and automatically replacing the certificate. Edit the
/opt/qradar/ca/conf.d/httpd.json file and set the CertSkip
property to true and the CertMonitorThreshold property
to 0. For example:
{
"ServiceName": "httpd",
"CertDir": "/etc/httpd/conf/certs",
"CertName": "cert",
"ServiceCommand": "/opt/qradar/bin/install-ssl-cert.sh --deploy",
"CASkip": "true",
"CertSkip": "true",
"CertMonitorThreshold": 0
}
- If the certificate was issued by an internal certificate authority and
not a commercial certificate provider, the CA's root and intermediate certificates are required for
a full chain of trust validation. Copy the CA's root certificate and, if needed, the intermediate
certificates, to /etc/pki/ca-trust/source/anchors/ and then run the following
command:
update-ca-trust
Repeat this step on all managed hosts.
-
Use SSH to log in to the QRadar Console as the root
user. Install the certificate by entering the following command:
/opt/qradar/bin/install-ssl-cert.sh
- At the Path to Public Key File (SSLCertificateFile) prompt, enter the path to the
Public Key File. For example:
/root/new.certs/cert.cert
- At the Path to Private Key File (SSLCertificateKeyFile) prompt, enter the path to the
Private Key File. For example:
/root/new.certs/qradar.key
Example
output:
You have specified the following:
SSLCertificateFile of /root/new.certs/cert.cert
SSLCertificateKeyFile of /root/new.certs/qradar.key
Re-configure Apache now (includes restart of httpd) (Y/[N])? y
Backing up current SSL configuration ... (OK)
Installing user SSL certificate ... (OK)
Reloading httpd configuration:
- Restarting httpd service ... (OK)
Restarting running services:
- Stopping hostcontext ... (OK)
- Restarting Tomcat ... (OK)
- Starting hostcontext ... (OK)
Updating deployment:
- Copying certificate to managed hosts
* 192.0.2.0 ...... (OK)
- Restarting hostcontext on managed hosts
* 192.0.2.0 ...... (OK)
The event collection service must be restarted if WinCollect is used in your environment. Restart the event collection service now (y/[n])? y
- Restarting ecs-ec-ingress on managed hosts
* 192.0.2.0 ...... (OK)
- Restarting ecs-ec-ingress on console ... (OK)
Fri Jan 17 10:33:42 EST 2020 [install-ssl-cert.sh] OK: Install SSL Cert Completed
Note: Data collection for events and flows stops while services are restarted.
- To reload the SSL certificate, restart the docker container on the host that runs your
applications by running the following command:
Results
If the install-ssl-cert.sh script finished with the OK: Install SSL
Cert Completed message, then the certificate was installed successfully. If you answered
y (yes) to the prompt to reconfigure Apache, you don't need to do anything
else. Otherwise, you must deploy the full configuration. On the navigation menu ( ), click Admin, then click .