Installing QRadar Suite Software by using the Red Hat OpenShift CLI

Install IBM Security QRadar® Suite Software in an environment with internet connectivity by using the Red Hat® OpenShift® CLI. Before you install, you create a namespace and a Podman registry secret.

Before you begin

To complete this task, you must be a Red Hat OpenShift cluster administrator.

Review the Planning for installation section to make sure that you meet the hardware, system, storage and other requirements.

Before you install QRadar Suite Software, review and take the following prerequisite steps for a successful installation.

Install Red Hat OpenShift Container Platform

For the supported Red Hat OpenShift Container Platform versions, see System requirements.

For more information about installing and validating Red Hat OpenShift, see Setting up Red Hat OpenShift Container Platform cluster.

If you are planning to install IBM Cloud Pak foundational services in a custom namespace, create the common-service-maps configmap

If you are installing a single instance of foundational services in a custom namespace, see Installing IBM Cloud Pak® foundational services in a custom namespace.

If you are installing multiple IBM Cloud® Paks with dependencies on different versions of foundational services on the same cluster, see Installing IBM Cloud Pak foundational services in multiple namespaces.

Gather the information needed to install QRadar Suite Software

Make sure you know the registry key and other information to successfully install QRadar Suite Software.

Table 1. Information needed to install QRadar Suite Software
Information needed	Description
The IBM® Entitled Registry key	After you purchase a license for QRadar Suite Software, an entitlement for the Cloud Pak software is associated with your MyIBM account ID. You must have an entitlement key for the IBM Entitled Registry to install QRadar Suite Software by the online or air-gapped method that uses the IBM Entitled Registry. The value of the key is set in a parameter that is used during installation. Use the IBMid and the password that are associated with the entitled software to log in to the MyIBM Container Software Library. In the Container software library, from the menu bar, click Get entitlement key. In the Entitlement keys section, click Copy Key, and copy the key to a safe location. You need the IBM Entitled Registry key during the installation process and it must continue to be valid through the entire lifecycle of the platform. Important: If the IBM Entitled Registry key becomes invalid, you must create a new key in Passport Advantage® from a valid account and replace the key on QRadar Suite Software. If you do not replace the key on QRadar Suite Software, services fail.
The Fully Qualified Domain Name (FQDN) chosen for the QRadar Suite Software application	You must create a unique FQDN for the QRadar Suite Software platform. The FQDN must not be the same as the Red Hat OpenShift Container Platform cluster FQDN, the IBM Cloud Pak foundational services FQDN, or any other FQDN associated with the Red Hat OpenShift Container Platform cluster. Tip: If your QRadar Suite Software platform is installed in one of the following environments, the FQDN of the Red Hat OpenShift Container Platform cluster is used with the TLS certificate for the platform FQDN. IBM Cloud Amazon Web Services (AWS) Microsoft Azure VMware You can choose to create a unique FQDN for the QRadar Suite Software platform if you don't want to use the Red Hat OpenShift Container Platform cluster FQDN. For more information about the FQDN requirements, see Domain name and TLS certificates.
Certificate of Authority (CA), if required for the QRadar Suite Software application domain.	For more information about certificates, see Domain name and TLS certificates.
The persistent storage and storage class to be used.	For more information about the persistent storage required for QRadar Suite Software, see Storage requirements.
The user that you provide in the installation for the adminUser parameter to set the initial user in QRadar Suite Software.	The adminUser must exist in your identity provider. If you are using LDAP for your identity provider, the adminUser must have the mail attribute in LDAP. If you are using IBM Security Verify for your identity provider, be aware that email addresses are case-sensitive. Warning: Do not add a user with the username `admin` to your identity provider, as that might cause issues with other services on your cluster. For more information about the adminUser, see Logging in to QRadar Suite Software as initial user.

Installing QRadar Suite Software by using the Red Hat OpenShift CLI

After you take the prerequisite steps, install IBM Security QRadar Suite Software in an environment with internet connectivity by using the Red Hat OpenShift CLI.

Procedure

Log in to your Red Hat OpenShift Container Platform cluster as a cluster administrator by typing one of the following commands, where <openshift_url> is the URL for your Red Hat OpenShift Container Platform environment.
- Using a username and password.
```
oc login <openshift_url> -u <cluster_admin_user> -p <cluster_admin_password>
```
- Using a token.
```
oc login --token=<token> --server=<openshift_url>
```
Set the $CP4S_NAMESPACE environment variable by typing the following command, where <cp4s_namespace> is the namespace where you are installing QRadar Suite Software.

Important: If you install QRadar Suite Software in the all namespace mode, set the <cp4s_namespace> value as openshift-operators.
```
export CP4S_NAMESPACE=<cp4s_namespace>
```
Create the namespace for QRadar Suite Software by typing the following command.
```
oc new-project $CP4S_NAMESPACE
```
The namespace must meet the following criteria:
- Contain only lowercase alphanumeric characters or -
- Start and end with an alphanumeric character
- Be a dedicated namespace for QRadar Suite Software
- Not be default, kube-*, or openshift-*

Create a secret for the Podman registry by typing the following commands, where <password> is your IBM Entitlement Registry secret.

oc create secret podman-registry "ibm-entitlement-key" -n $CP4S_NAMESPACE \
     "--podman-server=cp.icr.io" \
     "--podman-username=cp" \
     "--podman-password=<password>"

If you are using your own domain and certificates, create a TLS secret.
- If you are using a certificate from a trusted CA for your domain, create the TLS secret by typing the following command, where <path_to_certificate> is the path to the TLS certificate associated with your domain, and <path_to_key> is the path to the TLS key associated with your domain.
```
oc create secret tls -n $CP4S_NAMESPACE isc-ingress-default-secret \
      --cert <path_to_certificate> \
      --key <path_to_key>
```
- If you are using custom or self-signed certificates for your domain, create the TLS secret by typing the following command, where <path_to_CA> is the path to the custom TLS certificate associated with your domain, <path_to_certificate> is the path to the TLS certificate associated with your domain, and <path_to_key> is the path to the TLS key associated with your domain.
```
oc create secret generic -n $CP4S_NAMESPACE isc-ingress-default-secret \
      --type=kubernetes.io/tls \
      --from-file=ca.crt=<path_to_CA> \
      --from-file=tls.crt=<path_to_certificate> \
      --from-file=tls.key=<path_to_key>
```

Install the IBM Operator Catalog Source.

Create a file called ibmCatalogSource.yaml.

Paste the following text into the file.

apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
    name: ibm-operator-catalog
    namespace: openshift-marketplace
spec:
    displayName: ibm-operator-catalog
    publisher: IBM Content
    sourceType: grpc
    image: icr.io/cpopen/ibm-operator-catalog
    updateStrategy:
        registryPoll:
            interval: 45m

Create the IBM Operator catalog source by typing the following command.
```
oc apply -f ibmCatalogSource.yaml
```
Verify that the pod is running in the openshift-marketplace namespace by typing the following command.
```
oc get pod -lolm.catalogSource=ibm-operator-catalog -n openshift-marketplace
```

Install the QRadar Suite Software Operator.
1. Create a file called operatorGroup.yaml.
2. Paste the following text into the file.
```
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
     name: cp4s-operator-group
     namespace: <cp4s_namespace>
spec:
     targetNamespaces:
          - <cp4s_namespace>
```
3. Create the QRadar Suite Software operator group by typing the following command.
```
oc apply -f operatorGroup.yaml
```
4. Verify that the QRadar Suite Software operator group is created by typing the following command.
```
oc get og cp4s-operator-group -n $CP4S_NAMESPACE
```
5. Create a file called subscription.yaml.
6. Paste the following text into the file. Replace <operators_namespace> with either your QRadar Suite Software namespace for an isolated mode installation, or with openshift-operators for an installation where the QRadar Suite Software operators are available to all namespaces in the cluster.
```
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
     name: ibm-cp-security-operator
     namespace: <operators_namespace>
spec:
     channel: v1.11
     installPlanApproval: Automatic
     name: ibm-cp-security-operator
     source: ibm-operator-catalog
     sourceNamespace: openshift-marketplace
```
7. Create the QRadar Suite Software operator by typing the following command.
```
oc apply -f subscription.yaml
```
  After a few seconds, the QRadar Suite Software is installed.
8. Verify that the ClusterServiceVersion (CSV) for the operator is installed by typing the following command. Replace <operators_namespace> with either your QRadar Suite Software namespace or openshift-operators, according to your namespace choice used to apply the Operator Subscription in the previous step.
```
oc get csv -n <operators_namespace> | grep ibm-cp-security-operator
```
  Wait until the output of this command shows Succeeded before you proceed to the next step.
9. Verify that the operator is running by typing the following command.
```
oc get pod -A -lname=ibm-cp-security-operator
```

Install QRadar Suite Software Threat Management.

Create a file called cp4sThreatManagement.yaml.

Paste the following text into the file. Replace <username> with the username of the initial admin user and <cp4s_namespace> with your QRadar Suite Software namespace.

apiVersion: isc.ibm.com/v2
kind: CP4SThreatManagement
metadata:
    name: threatmgmt
    namespace: <cp4s_namespace>
spec:
    license:
        accept: true
    basicDeploymentConfiguration:
        adminUser: <username>
        domain: ""
        storageClass: ""
    extendedDeploymentConfiguration:
        airgapInstall: false
        clusterProxy: false
        backupStorageClass: ""
        backupStorageSize: ""
        imagePullPolicy: IfNotPresent
        repository: cp.icr.io/cp/cp4s
        repositoryType: entitled
    threatManagementCapabilities:
        deployDRC: true
        deployThreatInvestigator: true

Use the information in the following table to set the parameters in cp4sThreatManagement.yaml.

Table 2. QRadar Suite Software installation parameters
Parameter	Description	Do you need to update this parameter?
adminUser	The user that is to be given administrator privileges in the QRadar Suite Software System Administration account after installation. Specify a username or an email address that exists in your identity provider.	Yes
airgapInstall	Set to `false`.	No
clusterProxy	Set to `true` if you are installing in a cluster that is using a cluster-wide proxy. Set to `false` if you are not installing in a cluster that is using a cluster-wide proxy. Cluster-wide proxy is not supported in a disconnected environment.	No, unless you are installing in a cluster that is using a cluster-wide proxy.
domain	The fully qualified domain name (FQDN) created for QRadar Suite Software. If you don't specify an FQDN, it is generated as cp4s.`<cluster_ingress_subdomain>`.	No, unless you want or specify your own FQDN.
storageClass	The provisioned block or file storage class for all the PVCs required by QRadar Suite Software. When it is not specified, the default storage class is used. For more information, see Storage requirements.	No, unless you are using a storage class other than the default storage class for the cluster.
backupStorageClass	Storage class for the backup and restore pod. If this value is not set, QRadar Suite Software takes the value from the storageClass parameter.	No, unless you are using a different storage class for the backup and restore pod than you set for the storageClass parameter.
backupStorageSize	The storage size for the backup and restore PVC. Must be `500Gi` or higher.	No, unless you need the storage size for the backup and restore pod to be greater than 500 Gi.
imagePullPolicy	The pull policy for the images. When Red Hat OpenShift creates containers, it uses the imagePullPolicy to determine whether to pull the container image from the registry before starting the container. Options are `Always`, `IfNotPresent`, or `Never`.	No
repository	The IBM Entitled Registry from which the images are pulled. Must be set to `cp.icr.io/cp/cp4s`.	No
deployDRC	Set to `false` to skip deployment of Detection and Response Center.	No, unless you don't want to deploy Detection and Response Center.
deployThreatInvestigator	Set to `false` to skip deployment of Threat Investigator.	No, unless you don't want to deploy Threat Investigator.

Create the QRadar Suite Software Threat Management by typing the following command.
```
oc apply -f cp4sThreatManagement.yaml
```

Important: Installation takes approximately 1.5 hours. When installation is complete, the latest version of IBM Cloud Pak foundational services, and QRadar Suite Software 1.11.1 are installed.

Verify QRadar Suite Software installation by typing the following command.

oc get CP4SThreatManagement threatmgmt -n $CP4S_NAMESPACE -o jsonpath='{.status.conditions}'

Results

The following message is displayed when installation is complete.

[{"lastTransitionTime":"<timestamp>","message":"Cloudpak for Security Deployment is successful","reason":"Deployment is complete","status":"True","type":"Success"}]%

If the following message is displayed, follow the instructions in SOAR playbooks not available or SOAR automation limited to resolve the issue.

[{"lastTransitionTime":"<timestamp>","message":"SOAR automation functionality will be limited","reason":"Knative not Deployed","status":"True","type":"Degraded"}]%

What to do next

Postinstallation tasks