QRadar: Configuring a Disconnected Log Collector (DLC) with OpenSSL v3

Resolving The Problem

Before you begin

• Administrators are expected to have a pfx certificate created as described in the Setting up certificate-based authentication on Disconnected Log Collector.
• After you convert the certificate to pfx and updated the config.json file, then you are ready to complete the procedure in this technical note.

1. Use SSH to log in to the Disconnected Log Collector.
2. Navigate to the /opt/ibm/si/services/dlc/keystore/<UUID>/ directory. The folder contains the signed certificate that was converted and the key file associated with the certificate request.
3. Optional. Certificates in DER format must be converted to a PEM file with the following command:

   openssl x509 -inform der -in yourcert.crt -out dlc-client.pem

4. Use the following command to generate the pfx file with the legacy option. For example,

   openssl pkcs12 -export -legacy -out dlc-client.pfx -inkey dlc-client.key -in dlc-client.pem -password pass:your_unencrypted_password

5. To set the correct owner on the pfx file, type: 

   chown root:dlc dlc-client.pfx

6. To set read access on the file, type:

   chmod +r dlc-client.pfx

7. Copy the dlc-client.pfx file to the /opt/ibm/si/services/dlc/keystore folder.
   Note: This file location is one level up from the location in step 2 of this procedure. You must copy the pfx file to the correct directory.
8. Type the following command to start the DLC service:

   systemctl restart dlc

   
   Results
   After the service restarts, you can setup your destination on the Disconnected Log Collector. If you continue to experience issues with the DLC service, contact QRadar Support for further assistance.