IBM Support

QRadar: How to set up LDAPS (LDAP over SSL) authentication

How To


Summary

This document contains a guide with the steps to configure SSL certificates for a proper LDAP encrypted authentication (LDAP over SSL) in QRadar.

Steps

This technote contains example configurations to set up LDAP authentication without encryption and with SSL encryption (LDAPS). The administrator must use them as guidance and match their settings according to the information provided by the LDAP administrator.
Note: The document is intended to configure an encrypted LDAP over SSL connection to a single domain controller.
Administrators can refer to Configuring LDAP authentication and Active Directory authentication modules deprecated from QRadar Console appliances for a complete list of parameters that suits their needs.

1. Establish an unencrypted connection to the LDAP server


The following parameters can be used as guidance to configure a basic LDAP Repository in QRadar.
 
1. Log in to the QRadar Console WebUI as the administrator user.
2. On the Admin tab, click Authentication.
3. Click Authentication Module Settings.
4. From the Authentication Module list, select LDAP, then Add.
5. In the Repository ID, type a descriptive name.
6. In the Server URL section, use the ldap:// protocol, the server FQDN and specify an unencrypted port (389 or Global catalog port 3268). An example of a Server URL might be: ldap://ldap.test.com:389.
7. In the Encryption field, select Unsecure.
8. In the LDAP User Field, type sAMAccountName.
9. In the User Base DN, enter the Distinguished Name (DN) of the node where the search for a user would start. To find out this value, refer to: How to find the User Base and Group Base DN information when using LDAP.
10. In the Referral section, select "follow".
11. In the Connection Settings section, select Authenticated Bind.
12. In the Login DN field, use the "Domain\User", for example: TEST\Administrator.
13. In the Password field, type the password of user configured in the Login DN field.
14. Click "Test Connection" and type only the username (without the domain\) used in the Login DN field, for example, Administrator.
15. Verify the test returns "Successfully connected to the LDAP server".

Figure01
 
Result
QRadar is now able to connect to the LDAP server by using a basic unencrypted LDAP configuration. If the test connection did not connect, the administrators must reach out to their LDAP Administrator and verify the parameters match and the network allows the QRadar Console to connect.
If QRadar is not able to connect after the parameters and network were verified, contact QRadar Support for assistance.

2. Configure the SSL certificates

Note: In the following steps, all the certificates that belong to the chain of trust (Server, Intermediate CA, and Root CA certificates) for the actual LDAP server are needed. The administrators must request to the LDAP Administrator all the certificate files in base64 encoded format from the LDAP server.

1. Log in to the QRadar Console CLI as the root user.
2. Copy the SSL LDAP Server certificate to the /opt/qradar/conf/trusted_certificates/ directory. Optionally, extract the Server certificate running the following command:
 
openssl s_client -connect  <LDAP Server IP or FQDN>:636 -showcerts </dev/null 2>/dev/null | openssl x509 -outform pem > ldap_server.pem
Note: The previous command can be only used to extract the LDAP Server certificate. The Intermediate (when present) and Root CA must be provided by the LDAP Server administrator to build the chain of trust.
3. Verify the FQDN in the Server URL parameter is an exact match in the certificate under Subject Alternative Name.
Note: This value is case-sensitive, if the FQDN in the Server URL does not match exactly the parameter in the certificate, the administrator can change the FQDN in the Server URL or request a new certificate that matches to the LDAP Administrator.
 
openssl x509 -in /opt/qradar/conf/trusted_certificates/<LDAP Server certificate> -noout -text | grep -A 1 'Subject Alternative Name'
Example:
openssl x509 -in /opt/qradar/conf/trusted_certificates/ldap_server.pem -noout -text | grep -A 1 'Subject Alternative Name'
X509v3 Subject Alternative Name:
    DNS:ldap.test.com, DNS:test.com, DNS:TEST
4. Copy the Root and Intermediate CA certificates to the /etc/pki/ca-trust/source/anchors/ directory.
5. Move into the /etc/pki/ca-trust/source/anchors/ directory.
 
cd /etc/pki/ca-trust/source/anchors/
6. Confirm the complete chain of trust for the LDAP server was copied:
  1. If the chain of trust does not contain Intermediate certificate, run:
      
    ​openssl verify -CAfile <Root CA certificate> /opt/qradar/conf/trusted_certificates/<LDAP Server certificate>
  2. If the chain of trust contains intermediate certificates, run:
      
    openssl verify -CAfile <Root CA certificate> -untrusted <Intermediate CA certificate> /opt/qradar/conf/trusted_certificates/<LDAP Server Cert>
  3. Verify the output returned is "OK".
      
    openssl verify -CAfile /etc/pki/ca-trust/source/anchors/RootCA.cer /opt/qradar/conf/trusted_certificates/ldap_server.pem
/opt/qradar/conf/trusted_certificates/ldap_server.pem: OK
7. Run the command "update-ca-trust" to add the certificates to the QRadar truststore.
 
update-ca-trust
Result
The required certificates are now imported in QRadar and can be used for SSL configuration. If the verification of the chain of trust does not report OK, the administrator must reach out to the LDAP administrator and verify all the certificates are correct.

3. Configure LDAPS

The following parameters can be used as guidance to configure an LDAPS Repository in QRadar.
1. Log in to the QRadar Console WebUI as the administrator user.
2. On the Admin tab, click Authentication.
3. Click Authentication Module Settings.
4. From the Authentication Module list, select the required LDAP repository, then Edit.
5. Update the Server URL parameter to use the ldaps:// protocol and specify an LDAP over SSL encrypted port (636 or Global catalog port 3269). An example of a Server URL might be: ldaps://ldap.test.com:3269.
Note: This value is case-sensitive, if the FQDN in the Server URL does not match exactly the parameter in the certificate, the administrator can change the FQDN in the Server URL or request a new certificate that matches to the LDAP Administrator.
6. In the Encryption field, select LDAPS.
7. Click "Test Connection" and type only the username (without the domain\) used in the Login DN field.
8. Verify the test returns "Successfully connected to the LDAP server".

Figure02
9. Click Save to save the settings.
10. In the Authentication Module Settings, click Save Authentication Module.
11. On the Admin tab, click Deploy Changes.
Result
QRadar is now able to authenticate to the LDAP server by using SSL encryption. If the test connection did not connect, the administrators must reach out to their LDAP Administrator and verify the parameters match and the network allows the QRadar Console to connect.
If QRadar is not able to connect after the parameters and network were verified, contact QRadar Support for assistance.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
17 June 2022

UID

ibm16568197

Page Feedback