Copy of: Signing Your QRadar Extension 2

There are four key steps to get your zip ready for submission using the App Submission portal. All extensions published to the IBM Security App Exchange must include a manifest.txt and must be signed by your IBM issued certificate. Your extension will not pass validation unless these have been included.

1. Requirements:
2. Export your content from your QRadar system
3. Add a customized manifest.txt to the extension
4. Generate and submit a Certificate Signing Request (CSR)
5. Sign your extension
6. Subsequent extension submissions and updated versions

Step 1: Exporting your extension or content from QRadar

You need to export all your relevant content from your QRadar system. Depending on your content type, follow the steps in one of the following sections:

• Exporting a single application as an extension
• Exporting a multi-application extension or content pack For more information on exporting content, go to:http://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/c_cmt_import_export_methods.html

Exporting a single application as an extension

Before you can export an extension from QRadar, you need to know its local id on your QRadar system.

Exporting a multi-application extension or content pack

1. Login to the QRadar database and type:

   psql -U qradar -c "select id, name from installed_application;"

2. From the resulting list, take a note of your application id.
3. From the QRadar console’s command line, run the following command to export your extension:

   /opt/qradar/bin/contentManagement.pl -a export -c installed_application -i <4 digit application ID>
   

4. If you need to produce an extension with more than one application or an extension with additional content, such as reports and rules etc, you need to define a package file that lists the content type and id combinations of all the content you want to include.
   1. Run the following command to view a list of exportable content types:

      /opt/qradar/bin/contentManagement.pl -h export
      

      As an example, if you want to export an application with id 1001 and rules with ids 1274 and 1275, and a dashboard with id 10, you need to create a simple text file under the following rules:
      • One line for each content type
      • Each line is a comma-separated list
      • The first value is the content type
      • The remaining values are specific ids

   2. For the aforementioned example, your text file content would look like this:

      installed_application,1001 customrule,1274,1275 dashboard,10

   3. Run the following command to assemble and export your list of content types:

      /opt/qradar/bin/contentManagement.pl -a export -c package -f package.txt

   Step 2: Adding a manifest to an extension

   1. Complete all the fields in Section 2 Extension Details of this Submission Portal.
   2. Download the completed manifest.txt by clicking the link in the helptext.
   3. Unzip your exported.zip generated by thecontentManagement.plex port action.
   4. Add the manifest.txt that was generated by the Submission Portal to the same hierarchical level as the XML file.
   5. Rezip the content again and name your.zip in the format extension name_version.zip’

   Step 3: Generating and submitting a Certificate Signing Request (CSR)

   1. Using QRadar or another system with the keytool utility installed, run the following commands to generate a Java KeyStore object:

       keytool -genkey -alias codesigningcert -keyalg RSA -keysize 2048 -keystore signingstore.jks

   2. You will be prompted for a number of values. Enter all fields with values that are relevant to you: Name, Organization Unit, Organization, Municipality, State/Province, Country code.
   3. Enter a password for the signingstore.jks keystore and keep the file and password safe as they will be required later.
   4. Run the following command to create the codesigningcert.csr file:

       keytool -certreq -alias codesigningcert -file codesigningcert.csr -keystore signingstore.jks

   5. Email the codesigningcert.csr to the IBM Validation team immediately at this address: mailto:ibm_security_qradar_extensions@wwpdl.vnet.ibm.com?subject=Submitting CSR
   6. IBM will use this codesigningcert.csr to issue you with the following items:
      • ca.crt.pem
      • intermediate.crt.pem
      • <companyname>.crt.pem
   Results
   You should receive these within a few days of your codesigningcert.csr submission.

   Step 4: Signing your extension

   We suggest that developers save a backup of the keystore before proceeding with these steps:

   A new META-INF directory is generated automatically within the .zip, resulting in an increase in file size. The new directory contains the relevant PKI artifacts that QRadar reads to determine the extension has been signed by an IBM issued certificate.

   Step 5: Subsequent extension submissions and updated versions

   1. Copy your ca.crt.pem and intermediate.crt.pem to the same location as the signingstore.jks file.
   2. Run the following command to import the root CA certificate:

      keytool -import -v -trustcacerts -alias root -file ca.crt.pem -keystore signingstore.jks

   3. Enter your keystore password that you previously created in Step 3.
   4. Type Yes to confirm you trust the certificate.
   5. Run the following command to import the intermediate CA certificate:

      keytool -import -v -trustcacerts -alias intermediate -file intermediate.crt.pem -keystore signingstore.jks

   6. Enter your keystore password again.
   7. Run the following command to import your own certificate:

      keytool -import -trustcacerts -alias codesigningcert -file <cert file issued by IBM> -keystore signingstore.jks

   8. When prompted enter your password again.
   9. Run the following command to sign your extension, an internet connection is required:

      jarsigner -keystore signingstore.jks -tsa http://timestamp.globalsign.com/scripts/timestamp.dll <extension zip filename> "codesigningcert"

   10. When prompted, enter your keystore password.
   11. If you previously submitted an extension to IBM Security App Exchange and you have the following items in your keystore:
       • ca.crt.pem
       • intermediate.crt.pem
       • <companyname>.crt.pem

       You only need to repeat steps 9 and 10 above to immediately sign your extensions from now on.