Upgrading QRadar Suite Software

If you have IBM Security QRadar® Suite Software 1.8 or later installed, you can upgrade to the latest 1.10 version.

Before you begin

To complete this task, you must be a Red Hat® OpenShift® cluster administrator.

Install the command-line interface (CLI) utility cpctl from the cp-serviceability pod. For more information, see Installing the cpctl utility.

Important: Red Hat OpenShift Container Platform 4.10.x is no longer supported. You must upgrade to 4.12.x or 4.14.x before you upgrade QRadar Suite Software.

Install Red Hat OpenShift CLI 4.12 or later

The Red Hat OpenShift CLI client helps you develop, build, deploy, and run your applications on any Red Hat OpenShift or Kubernetes cluster. It also includes the administrative commands for managing a cluster under the adm subcommand.

Procedure

  1. Download Red Hat OpenShift CLI 4.12 or later from https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/stable-4.12/. The file to download is called openshift-client-<platform>-<version>.tar.gz.
  2. Extract the binary file that you downloaded by typing the following command, where <oc_cli_archive_file> is the name of the archive file that you downloaded.
    tar -xf <oc_cli_archive_file>
  3. Modify the permissions of the binary file by typing the following command, where <oc_cli_binary> is the name of the Red Hat OpenShift binary that you extracted from the archive.
  4. Move the binary file to the /usr/local/bin directory by typing the following command.
    mv <oc_cli_binary> /usr/local/bin/oc
    Tip: If this command returns a No such file or directory or Not a directory error message, create the /usr/local/bin directory by typing the following command.
    sudo mkdir /usr/local/bin
  5. Ensure that the Red Hat OpenShift CLI client is working by typing the following command.
    oc version
    Tip: MacOS users might see a message that this tool cannot be opened because it is from an unidentified developer. Close this message and go to System Preferences > Security & Privacy. On the General tab, click Open Anyway or Allow Anyway. Repeat the oc version command.

Preparing to upgrade

When you're preparing for an upgrade, it's important to schedule a maintenance window that won't disrupt users, and review the documentation for any known issues or new features that might impact the upgrade process.

Procedure

  1. Schedule a maintenance window for the upgrade.
  2. Review what's new and known issues.
  3. Log in to your Red Hat OpenShift Container Platform cluster as a cluster administrator by typing one of the following commands, where <openshift_url> is the URL for your Red Hat OpenShift Container Platform environment.
    • Using a username and password.
      oc login <openshift_url> -u <cluster_admin_user> -p <cluster_admin_password>
    • Using a token.
      oc login --token=<token> --server=<openshift_url>
  4. To ensure that the list of available cpctl actions is up to date, enter the following command.
    cpctl load
    The cpctl load command retrieves all of the available actions that can be run on QRadar Suite Software. The actions are cached to your local environment.
  5. Ensure that QRadar Suite Software is in a good state.
    1. Verify that all nodes are running by typing the following command.
      oc get nodes
    2. Verify that all pods are running by typing the following command.
      cpctl diagnostics check_deployment
  6. If you previously installed QRadar Suite Software and changed the resource allocations for SOAR, these allocations are no longer suitable. Change the resource allocations by running the following commands:
    oc exec -ti deploy/cp-serviceability -– /opt/bin/modify_deployment -a casesapplication -k soar-application -p jvm_opts:"-Xms3g -Xmx3g -XX:MaxDirectMemorySize=400m -Xdisableexplicitgc -XX:ConcGCThreads=4 -XX:ParallelGCThreads=4 -XX:ActiveProcessorCount=4 -XX:HeapDumpPath=/var/jvm"
    oc exec -ti deploy/cp-serviceability -- /opt/bin/modify_deployment -a casesapplication -k soar-application -r requests.cpu:250m -r requests.memory:3584Mi -r limits.memory:3584Mi -r limits.cpu:2000m
  7. Back up your QRadar Suite Software data. For more information see Backup and restore.
  8. Choose one of the following upgrade methods.
    • Red Hat OpenShift web console.
    • Red Hat OpenShift CLI.
    • CASE or IBM Cloud catalog installation method.
    • A later 1.10 release when your approval strategy is set to Manual.

Upgrading by using the Red Hat OpenShift web console

Before you begin

Make sure you have installed Red HatRed Hat OpenShift CLI 4.12 or later.

Procedure

  1. Verify that foundational services is set to v3.
    1. Go to Operators > Installed Operators and ensure that the Project is set to ibm-common-services.
    2. In the list of installed operators, click IBM Cloud Pak Foundational Services.
    3. On the Subscription tab, verify that Update channel is set to v3.
  2. If Update channel is set to v3, follow these steps to complete the upgrade.
    1. Go to Operators > Installed Operators and ensure that the Project is set to the namespace where QRadar Suite Software is installed.
    2. In the list of installed operators, click IBM Cloud Pak for Security.
    3. On the Subscription tab, change the channel to v1.10.
    4. Go to back to Operators > Installed Operators, click IBM Cloud Pak for Security, and check whether the version number has been updated to 1.10.23.
  3. If Update channel is not set to v3, follow these steps on the command line to complete the upgrade.
    1. Log in to your Red Hat OpenShift Container Platform cluster as a cluster administrator by typing one of the following commands, where <openshift_url> is the URL for your Red Hat OpenShift Container Platform environment.
      • Using a username and password.
        oc login <openshift_url> -u <cluster_admin_user> -p <cluster_admin_password>
      • Using a token.
        oc login --token=<token> --server=<openshift_url>
    2. Set the $CP4S_NAMESPACE environment variable by typing the following command, where <cp4s_namespace> is the namespace where you are installing QRadar Suite Software.
      export CP4S_NAMESPACE=<cp4s_namespace>
    3. Set the $FS_NAMESPACE environment variable to your foundational services namespace by typing the following command.
      export FS_NAMESPACE=$(oc get cm cp4s-config -o jsonpath="{.data.CSNamespace}" -n $CP4S_NAMESPACE)
    4. Update the serviceability pod to the latest version by typing the following command.
      oc delete pod -lrun=cp-serviceability

      When the serviceability pod is ready, proceed to the next step. The following example output shows that the serviceability pod is ready.

      NAME                READY   UP-TO-DATE   AVAILABLE   AGE
      cp-serviceability   1/1     1            1           4d3h
    5. Roll foundational services back to an earlier version and complete the upgrade by typing the following command.
      oc exec deploy/cp-serviceability -- /opt/bin/cs_rollback --channel v1.10 $(oc whoami -t) ${CP4S_NAMESPACE} $FS_NAMESPACE

      When the output of this command shows ibm-cp-security-operator updated, the upgrade is complete. The following example output shows that the upgrade is complete.

      {"level":"info","ibm_datetime":"2022-09-27T12:17:20.509Z","caller":"misc/cleanup.go:332","message":"Deleted","Kind":"operator.ibm.com/v1alpha1, Kind=OperandBindInfo","Name":"ibm-licensing-bindinfo"}
      ...
      ...
      {"level":"info","ibm_datetime":"2022-09-27T12:19:24.882Z","caller":"main/main.go:281","message":"ibm-cp-security-operator updated, waiting for install"}
    6. Verify that foundational services is set to v3 by typing the following command.
      oc get sub -n $FS_NAMESPACE ibm-common-service-operator -o jsonpath='{.spec.channel}{"\n"}'
    7. Verify that foundational services is version 3.19.x, IBM NamespaceScope Operator is 1.17.x, and that QRadar Suite Software is 1.10.23 by typing the following command.
      oc get csv | grep -E "foundations|ibm-cp-security|common-service|namespace"
  4. Verify that the upgrade is complete.
    1. Log in to your QRadar Suite Software console.
    2. Click you user icon, then About.
    3. Verify that the version number displayed is 1.10.23.

What to do next

If you are going to upgrade Red Hat OpenShift Container Platform, you must verify that Knative serving is set to use two replicas.

If you have connectors from the IBM® X-Force® Exchange / App Exchange, you must reinstall your connectors to avoid compatibility issues when QRadar Suite Software is updated. For more information, see Installing or updating a connector.

If you have connectors that are included in the QRadar Suite Software release package, they are automatically updated when QRadar Suite Software is updated.

Upgrading by using the Red Hat OpenShift CLI

Before you begin

Make sure you have installed Red HatRed Hat OpenShift CLI 4.12 or later.

Procedure

  1. Log in to your Red Hat OpenShift Container Platform cluster as a cluster administrator by typing one of the following commands, where <openshift_url> is the URL for your Red Hat OpenShift Container Platform environment.
    • Using a username and password.
      oc login <openshift_url> -u <cluster_admin_user> -p <cluster_admin_password>
    • Using a token.
      oc login --token=<token> --server=<openshift_url>
  2. Set the $CP4S_NAMESPACE environment variable by typing the following command, where <cp4s_namespace> is the namespace where you are installing QRadar Suite Software.
    Important: If you installed QRadar Suite Software in all namespace mode, then set the <cp4s_namespace> value as openshift-operators.
    export CP4S_NAMESPACE=<cp4s_namespace>
  3. Set the $FS_NAMESPACE environment variable to your foundational services namespace by typing the following command.
    export FS_NAMESPACE=$(oc get cm cp4s-config -o jsonpath="{.data.CSNamespace}" -n $CP4S_NAMESPACE)
  4. Verify that foundational services is set to v3 by typing the following command.
    oc get sub -n $FS_NAMESPACE ibm-common-service-operator -o jsonpath='{.spec.channel}{"\n"}'
  5. If the output of the command is v3, complete the upgrade by typing the following command.
    oc patch sub ibm-cp-security-operator --type merge -p '{"spec":{"channel":"v1.10"}}' -n $CP4S_NAMESPACE
  6. If the output of the command is not v3, follow these steps.
    1. Update the serviceability pod to the latest version by typing the following command.
      oc delete pod -lrun=cp-serviceability

      When the serviceability pod is ready, proceed to the next step. The following example output shows that the serviceability pod is ready.

      NAME                READY   UP-TO-DATE   AVAILABLE   AGE
      cp-serviceability   1/1     1            1           4d3h
    2. Roll foundational services back to an earlier version and complete the upgrade by typing the following command.
      oc exec deploy/cp-serviceability -- /opt/bin/cs_rollback --channel v1.10 $(oc whoami -t) ${CP4S_NAMESPACE} $FS_NAMESPACE

      When the output of this command shows ibm-cp-security-operator updated, the upgrade is complete. The following example output shows that the upgrade is complete.

      {"level":"info","ibm_datetime":"2022-09-27T12:17:20.509Z","caller":"misc/cleanup.go:332","message":"Deleted","Kind":"operator.ibm.com/v1alpha1, Kind=OperandBindInfo","Name":"ibm-licensing-bindinfo"}
      ...
      ...
      {"level":"info","ibm_datetime":"2022-09-27T12:19:24.882Z","caller":"main/main.go:281","message":"ibm-cp-security-operator updated, waiting for install"}
    3. Verify that foundational services is set to v3 by typing the following command.
      oc get sub -n $FS_NAMESPACE ibm-common-service-operator -o jsonpath='{.spec.channel}{"\n"}'
    4. Verify that foundational services is version 3.19.x, IBM NamespaceScope Operator is 1.17.x, and that QRadar Suite Software is 1.10.23 by typing the following command.
      oc get csv | grep -E "foundations|ibm-cp-security|common-service|namespace"
  7. Verify that the upgrade is complete.
    1. Log in to your QRadar Suite Software console.
    2. Click you user icon, then About.
    3. Verify that the version number displayed is 1.10.23.

What to do next

If you are going to upgrade Red Hat OpenShift Container Platform, you must verify that Knative serving is set to use two replicas.

If you have connectors from the IBM X-Force Exchange / App Exchange, you must reinstall your connectors to avoid compatibility issues when QRadar Suite Software is updated. For more information, see Installing or updating a connector.

If you have connectors that are included in the QRadar Suite Software release package, they are automatically updated when QRadar Suite Software is updated.

Upgrading by using the CASE or IBM Cloud catalog installation method

Before you begin

Gather the following information from the QRadar Suite Software instance that you are upgrading.

Important: During any of the installation procedures, you must use the same value that you have in your current QRadar Suite Software deployment for the following parameters.
Table 1. QRadar Suite Software parameters
Parameter Description
namespace The namespace where QRadar Suite Software is installed.
adminUser The admin user ID set during the QRadar Suite Software installation. Verify the value by typing the following command.
oc get cp4sthreatmanagement.isc.ibm.com/threatmgmt -o jsonpath='{.spec.basicDeploymentConfiguration.adminUser}' -n <cp4s_namespace>
domain Retrieve the current domain that is used by QRadar Suite Software by typing the following command.
oc get cp4sthreatmanagement.isc.ibm.com/threatmgmt -o jsonpath='{.spec.basicDeploymentConfiguration.domain}' -n <cp4s_namespace>
storageClass Set the storage class to the same storage class that is used in QRadar Suite Software, which is typically the default storage class. Verify the default storage class in the cluster by typing the following command.
oc get cp4sthreatmanagement.isc.ibm.com/threatmgmt -o jsonpath='{.spec.basicDeploymentConfiguration.storageClass}' -n <cp4s_namespace>
roksAuthentication If you are using an IBM Cloud® cluster, set the value of the roksAuthentication parameter to the same value that you used when you installed QRadar Suite Software. Verify the value that you used by typing the following command.
oc get cp4sthreatmanagement.isc.ibm.com/threatmgmt -o jsonpath='{.spec.extendedDeploymentConfiguration.roksAuthentication}' -n <cp4s_namespace>
Important: If you enable roksAuthentication, you cannot revert to using a different type of identity provider after the upgrade.
CSNamespace The namespace where foundational services is currently installed. Verify this value by typing the following command.
oc get cm cp4s-config -o jsonpath="{.data.CSNamespace}" -n <cp4s_namespace>

Procedure

  1. Upgrade IBM Security QRadar Suite Software to 1.10 by following one of these installation procedures.
  2. Verify that the upgrade is complete.
    1. Log in to your QRadar Suite Software console.
    2. Click you user icon, then About.
    3. Verify that the version number displayed is 1.10.23.

What to do next

If you are going to upgrade Red Hat OpenShift Container Platform, you must verify that Knative serving is set to use two replicas.

If you have connectors from the IBM X-Force Exchange / App Exchange, you must reinstall your connectors to avoid compatibility issues when QRadar Suite Software is updated. For more information, see Installing or updating a connector.

If you have connectors that are included in the QRadar Suite Software release package, they are automatically updated when QRadar Suite Software is updated.

Upgrading to a later 1.10 release when your approval strategy is set to Manual

If your approval strategy is set to Manual, you must approve any upgrades before you can upgrade to later 1.10 releases.

Before you begin

Make sure you have installed Red HatRed Hat OpenShift CLI 4.12 or later.

Procedure

  1. Log in to your Red Hat OpenShift Container Platform cluster as a cluster administrator by typing one of the following commands, where <openshift_url> is the URL for your Red Hat OpenShift Container Platform environment.
    • Using a username and password.
      oc login <openshift_url> -u <cluster_admin_user> -p <cluster_admin_password>
    • Using a token.
      oc login --token=<token> --server=<openshift_url>
  2. Set the $CP4S_NAMESPACE environment variable by typing the following command, where <cp4s_namespace> is the namespace where you are installing QRadar Suite Software.
    Important: If you installed QRadar Suite Software in all namespace mode, then set the <cp4s_namespace> value as openshift-operators.
    export CP4S_NAMESPACE=<cp4s_namespace>
  3. Approve the upgrade by typing the following command.
    oc exec -ti deploy/cp-serviceability -n $CP4S_NAMESPACE -- /opt/bin/olm_check --fix=Approval --token "$(oc whoami -t)"
  4. If your foundational services approval strategy is also set to Manual, type the following commands to approve upgrading it.
    export FS_NAMESPACE=$(oc get cm cp4s-config -o jsonpath="{.data.CSNamespace}" -n $CP4S_NAMESPACE)
    oc exec -ti deploy/cp-serviceability -n $FS_NAMESPACE -- /opt/bin/olm_check --fix=Approval --token "$(oc whoami -t)"