Sourcefire Defense Center Certificate Import for QRadar

Question & Answer

Question

How do I properly import certificates form my Estreamer device to QRadar?

Answer

QRadar can import pkcs12 certificates created by Sourcefire Defense Center appliances using the /opt/qradar/bin/estreamer-cert-import.pl.

The script outputs the location of the keystore and truststore files it imported. If the -o option is not specified to provide a unique name for the files, the estreamer-cert-import.pl script imports the files named estreamer.truststore and estreamer.keystore in the /opt/qradar/conf directory.

Note: If you only have 1 estreamer device, there is no reason to use the -o option.

If the -o option is used to specify a unique keystore or truststore name, then the Log Source configuration must be updated as the default values in the Keystore Filename field and Truststore Filename field use the default estreamer name. If the log source is not updated to point to the correct name, then the user interface will report that it cannot find the certificate files.

IMPORTANT:
The RPM must be installed on the Console, but the script (/opt/qradar/bin/estreamer-cert-import.pl) must be run ON THE EVENT COLLECTOR that will be doing the collection. It is also the IP address of the EC that must be configured in Estreamer. If they are using an all-in-one appliance then running it locally is fine, but if a separate collector is in use, then the script and IP must be configured for the collector.

Verify script md5sum:
2961476b24ac87e601a9533c98bf7fdf /opt/qradar/bin/estreamer-cert-import.pl

=================================================================
Sample Outputs of various

Basic setup, no custom prefix, no password in certificate file (MOST COMMON CONFIG)

[root@baron ~]# /opt/qradar/bin/estreamer-cert-import.pl -f 172.16.160.156_nopass.pkcs12
Successfully generated truststore file [/opt/qradar/conf/estreamer.truststore].
Successfully generated keystore file [/opt/qradar/conf/estreamer.keystore].

The UI must point to the files in /opt/qradar/conf, but they must also exist in /opt/qradar/conf/trusted_certificates/ (which the script does take care of)

[root@baron ~]# ls -l /opt/qradar/conf/estreamer.*
-rw-r--r-- 1 root root 3191 Feb 21 13:44 /opt/qradar/conf/estreamer.keystore
-rw-r--r-- 1 root root 971 Feb 21 13:44 /opt/qradar/conf/estreamer.truststore

[root@baron ~]# ls -l /opt/qradar/conf/trusted_certificates/estreamer.*
-rw-r--r-- 1 root root 3191 Feb 21 13:44 /opt/qradar/conf/trusted_certificates/estreamer.keystore
-rw-r--r-- 1 root root 971 Feb 21 13:44 /opt/qradar/conf/trusted_certificates/estreamer.truststore

When using this setup the default values in the UI already match these locations, should be used whenever possible to minimize the chance of error.

===============================================================================

Was the Estreamer client created with a password? Although the documentation does no specify to do so, if it was -p must be used with the same password that was used to create it.

Example:

[root@baron ~]# /opt/qradar/bin/estreamer-cert-import.pl -f 172.16.160.156.pkcs12
ERROR: Invalid password converting pkcs12 file [172.16.160.156.pkcs12].
If the certificate was created with a password please use the -p option and specify the password used when creating the client certificate on the Estreamer device.
See /opt/qradar/bin/estreamer-cert-import.pl -h for more details.

Pass in the password option:
[root@baron ~]# /opt/qradar/bin/estreamer-cert-import.pl -f 172.16.160.156.pkcs12 -p 123
Successfully generated truststore file [/opt/qradar/conf/estreamer.truststore].
Successfully generated keystore file [/opt/qradar/conf/estreamer.keystore].

==============================================================================

Same with custom prefixes:

[root@baron ~]# /opt/qradar/bin/estreamer-cert-import.pl -f 172.16.160.156.pkcs12 -p 123 -o myestreamer
Successfully generated truststore file [/opt/qradar/conf/myestreamer.truststore].
Successfully generated keystore file [/opt/qradar/conf/myestreamer.keystore].

===============================================================================

Unpriveleged user:

test@baron ~]$ /opt/qradar/bin/estreamer-cert-import.pl -f 172.16.160.156.pkcs12 -p 123 -o myestreamer
ERROR: Failed to create truststore file [/opt/qradar/conf/myestreamer.truststore]. Please ensure the current user has write access to [/opt/qradar/conf].

================================================================================

"su -":

[root@baron ~]# /opt/qradar/bin/estreamer-cert-import.pl -f 172.16.160.156.pkcs12 -p 123 -o myestreamer
Successfully generated truststore file [/opt/qradar/conf/myestreamer.truststore].
Successfully generated keystore file [/opt/qradar/conf/myestreamer.keystore].

=================================================================================

"su":

[root@baron test]# /opt/qradar/bin/estreamer-cert-import.pl -f 172.16.160.156.pkcs12 -p 123 -o myestreamer
Successfully generated truststore file [/opt/qradar/conf/myestreamer.truststore].
Successfully generated keystore file [/opt/qradar/conf/myestreamer.keystore].
[root@baron test]#

==================================================================================

-o and -p specified with debug output:

[root@baron test]# /opt/qradar/bin/estreamer-cert-import.pl -f 172.16.160.156.pkcs12 -p 123 -o myestreamer -d
DEBUG: /opt/qradar/bin/estreamer-cert-import.pl Version 1.0
DEBUG: Creating backup of [/opt/qradar/conf/myestreamer.truststore] before creating new file.
DEBUG: Backup of [/opt/qradar/conf/myestreamer.truststore] to [/opt/qradar/conf/myestreamer.truststore.old] complete.
DEBUG:
DEBUG: Truststore import: Certificate was added to keystore

Successfully generated truststore file [/opt/qradar/conf/myestreamer.truststore].
DEBUG: PKCS12 file [172.16.160.156.pkcs12] is being repackaging to [Client.pkcs12] with default password of [estreamer] for keystore import.
DEBUG: MAC verified OK

DEBUG:
DEBUG: Creating backup of [/opt/qradar/conf/myestreamer.keystore] before creating new file.
DEBUG: Backup of [/opt/qradar/conf/myestreamer.keystore] to [/opt/qradar/conf/myestreamer.keystore.old] complete.
DEBUG: Entry for alias 1 successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled

Successfully generated keystore file [/opt/qradar/conf/myestreamer.keystore].

Contents of Truststore:
=======================

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: defensecenter.pem
Creation date: Feb 21, 2012
Entry type: trustedCertEntry

Owner: O="Sourcefire, Inc.", T=InternalCA + OU=Intrusion Management System + CN=4632e000-10c9-11df-a380-89fe6d79698a
Issuer: O="Sourcefire, Inc.", T=InternalCA + OU=Intrusion Management System + CN=4632e000-10c9-11df-a380-89fe6d79698a
Serial number: 0
Valid from: Wed Nov 25 03:11:52 AST 2009 until: Sat Nov 23 03:11:52 AST 2019
Certificate fingerprints:
MD5: B1:70:F8:1F:6B:5A:5F:A3:06:9F:C5:9D:DC:3A:6C:14
SHA1: 8D:3B:27:72:75:33:F2:90:0E:B5:C8:60:D4:4A:B9:26:F4:AA:7A:1C
Signature algorithm name: SHA1withRSA
Version: 3

*******************************************
*******************************************

Contents of Keystore:
=======================

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: 1
Creation date: Feb 21, 2012
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: GENERATION=client, T=estreamer, O="Sourcefire, Inc.", OU=Intrusion Management System, CN=172.16.160.156
Issuer: O="Sourcefire, Inc.", T=InternalCA + OU=Intrusion Management System + CN=4632e000-10c9-11df-a380-89fe6d79698a
Serial number: 49
Valid from: Mon Feb 20 13:36:56 AST 2012 until: Fri Feb 18 13:36:56 AST 2022
Certificate fingerprints:
MD5: 07:EE:46:F3:B6:7A:E8:6B:D6:CE:A6:FC:A1:6C:43:C8
SHA1: E6:F5:DE:A1:93:01:F7:B8:C2:ED:C8:FE:07:6C:AF:07:7B:4C:F6:33
Signature algorithm name: MD5withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]

#2: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: 172.16.160.156
]

Certificate[2]:
Owner: O="Sourcefire, Inc.", T=InternalCA + OU=Intrusion Management System + CN=4632e000-10c9-11df-a380-89fe6d79698a
Issuer: O="Sourcefire, Inc.", T=InternalCA + OU=Intrusion Management System + CN=4632e000-10c9-11df-a380-89fe6d79698a
Serial number: 0
Valid from: Wed Nov 25 03:11:52 AST 2009 until: Sat Nov 23 03:11:52 AST 2019
Certificate fingerprints:
MD5: B1:70:F8:1F:6B:5A:5F:A3:06:9F:C5:9D:DC:3A:6C:14
SHA1: 8D:3B:27:72:75:33:F2:90:0E:B5:C8:60:D4:4A:B9:26:F4:AA:7A:1C
Signature algorithm name: SHA1withRSA
Version: 3

*******************************************
*******************************************

DEBUG: Checking if [/opt/qradar/conf/trusted_certificates] exists.
DEBUG: Copying [/opt/qradar/conf/myestreamer.keystore] to [/opt/qradar/conf/trusted_certificates].
DEBUG: Copied [/opt/qradar/conf/myestreamer.keystore] to [/opt/qradar/conf/trusted_certificates].

DEBUG: Checking if [/opt/qradar/conf/trusted_certificates] exists.
DEBUG: Copying [/opt/qradar/conf/myestreamer.truststore] to [/opt/qradar/conf/trusted_certificates].
DEBUG: Copied [/opt/qradar/conf/myestreamer.truststore] to [/opt/qradar/conf/trusted_certificates].

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1;7.0;7.2","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Historical Number

2285

Was this topic helpful?

Document Information

Modified date:
10 May 2019

UID

swg21622760

Tips