Installing QRadar Suite Software by using the Red Hat OpenShift CLI

Install IBM Security QRadar® Suite Software in an environment with internet connectivity by using the Red Hat® OpenShift® CLI. Before you install, you create a namespace and a Docker registry secret.

Before you begin

To complete this task, you must be a Red Hat OpenShift cluster administrator.

Review the Planning for installation section to ensure that you meet the hardware, system, storage, and other requirements.

  • You must have access to a Red Hat OpenShift Container Platform account with cluster administrator access.
    1. Log in to the Red Hat OpenShift Container Platform web console.
    2. In the Red Hat OpenShift Container Platform web console, go to Operators > OperatorHub.
    3. Scroll, or type the keyword Serverless into the Filter by keyword box to find the Red Hat OpenShift Serverless operator.
    4. Review the information about the operator and click Install.
    5. On the Install Operator page, set the following parameters.
      1. Set the Installation Mode to All namespaces on the cluster (default). This mode installs the operator in the default openshift-serverless namespace to be available to all namespaces in the cluster.
      2. Set the Installed Namespace to openshift-serverless.
      3. Select the stable channel as the Update Channel. The stable channel enables installation of the latest stable release of the Red Hat OpenShift Serverless operator.
      4. Select Automatic or Manual approval strategy.
    6. Click Install to make the operator available to the selected namespaces on this Red Hat OpenShift Container Platform cluster.
    7. Go to Operators > Installed Operators to monitor the Red Hat OpenShift Serverless operator installation and upgrade progress.
      • If you selected a Manual approval strategy, the subscription upgrade remains in the Upgrading state until you review and approve its install plan. After you approve the subscription upgrade on the Install Plan page, the subscription upgrade status moves to Up to date.
      • If you selected an Automatic approval strategy, the upgrade status resolves to Up to date without intervention.
    8. After the subscription upgrade status is Up to date, select Operators > Installed Operators to verify that the Red Hat OpenShift Serverless operator eventually shows up, and its Status ultimately resolves to Succeeded in the relevant namespace.
    1. Click the Import YAML icon () on the menu bar.
    2. On the Import YAML screen, add the following content.
      apiVersion: operator.knative.dev/v1beta1
kind: KnativeServing
metadata:
    name: knative-serving
    namespace: knative-serving
spec:
    high-availability:
        replicas: 2
    3. Click Create.

      After you install Knative Serving, the KnativeServing object is created, and you are automatically directed to the knative-serving custom resource. Knative Serving installation is complete if all of the conditions in the Conditions section show True. If the conditions have a status of Unknown or False, wait a few moments, and then check again after you confirm that the resources are created.

  • Table 1. Information needed to install QRadar Suite Software
    Information needed Description
    The IBM® Entitled Registry key

    After you purchase a license for QRadar Suite Software, an entitlement for the Cloud Pak software is associated with your MyIBM account ID. You must have an entitlement key for the IBM Entitled Registry to install QRadar Suite Software by the online or air-gapped method that uses the IBM Entitled Registry. The value of the key is set in a parameter that is used during installation.

    1. Use the IBMid and the password that are associated with the entitled software to log in to the MyIBM Container Software Library.
    2. In the Container software library, from the menu bar, click Get entitlement key.
    3. In the Entitlement keys section, click Copy Key, and copy the key to a safe location.

    You need the IBM Entitled Registry key during the installation process and it must continue to be valid through the entire lifecycle of the platform.

    Important: If the IBM Entitled Registry key becomes invalid, you must create a new key in Passport Advantage® from a valid account and replace the key on QRadar Suite Software. If you do not replace the key on QRadar Suite Software, services fail.
    The Fully Qualified Domain Name (FQDN) chosen for the QRadar Suite Software application
    You must create a unique FQDN for the QRadar Suite Software platform. The FQDN must not be the same as the Red Hat OpenShift Container Platform cluster FQDN, the IBM Cloud Pak foundational services FQDN, or any other FQDN associated with the Red Hat OpenShift Container Platform cluster.
    Tip: If your QRadar Suite Software platform is installed in one of the following environments, the FQDN of the Red Hat OpenShift Container Platform cluster is used with the TLS certificate for the platform FQDN.
    • IBM Cloud
    • Amazon Web Services (AWS)
    • Microsoft Azure
    • VMware
    You can choose to create a unique FQDN for the QRadar Suite Software platform if you don't want to use the Red Hat OpenShift Container Platform cluster FQDN.
    For more information about the FQDN requirements, see Domain name and TLS certificates.
    Certificate of Authority (CA), if required for the QRadar Suite Software application domain. For more information about certificates, see Domain name and TLS certificates.
    The persistent storage and storage class to be used. For more information about the persistent storage required for QRadar Suite Software, see Storage requirements.
    The user that you provide in the installation for the adminUser parameter to set the initial user in QRadar Suite Software. The adminUser must exist in your identity provider. If you are using LDAP for your identity provider, the adminUser must have the mail attribute in LDAP. If you are using IBM Security Verify for your identity provider, be aware that email addresses are case-sensitive.
    Warning: Do not add a user with the username admin to your identity provider, as that might cause issues with other services on your cluster.

    For more information about the adminUser, see Logging in to QRadar Suite Software as initial user.

Procedure

  1. Log in to your Red Hat OpenShift Container Platform cluster as a cluster administrator by typing one of the following commands, where <openshift_url> is the URL for your Red Hat OpenShift Container Platform environment.
    • Using a username and password.
      oc login <openshift_url> -u <cluster_admin_user> -p <cluster_admin_password>
    • Using a token.
      oc login --token=<token> --server=<openshift_url>
  2. Set the $CP4S_NAMESPACE environment variable by typing the following command, where <cp4s_namespace> is the namespace where you are installing QRadar Suite Software. 
    export CP4S_NAMESPACE=<cp4s_namespace>
  3. Create the namespace for QRadar Suite Software by typing the following command. 
    oc new-project $CP4S_NAMESPACE

    The namespace must meet the following criteria:

    • Contain only lowercase alphanumeric characters or -
    • Start and end with an alphanumeric character
    • Be a dedicated namespace for QRadar Suite Software
    • Not be default, kube-*, or openshift-*
  4. Create a secret for the Docker registry by typing the following commands, where <password> is your IBM Entitlement Registry secret. 
    oc create secret docker-registry "ibm-entitlement-key" -n $CP4S_NAMESPACE \
     "--docker-server=cp.icr.io" \
     "--docker-username=cp" \
     "--docker-password=<password>"
  5. If you are using your own domain and certificates, create a TLS secret.
    • If you are using a certificate from a trusted CA for your domain, create the TLS secret by typing the following command, where <path_to_certificate> is the path to the TLS certificate associated with your domain, and <path_to_key> is the path to the TLS key associated with your domain.
      oc create secret tls -n $CP4S_NAMESPACE isc-ingress-default-secret \
      --cert <path_to_certificate> \
      --key <path_to_key>
    • If you are using custom or self-signed certificates for your domain, create the TLS secret by typing the following command, where <path_to_CA> is the path to the custom TLS certificate associated with your domain, <path_to_certificate> is the path to the TLS certificate associated with your domain, and <path_to_key> is the path to the TLS key associated with your domain.
      oc create secret generic -n $CP4S_NAMESPACE isc-ingress-default-secret \
      --type=kubernetes.io/tls \
      --from-file=ca.crt=<path_to_CA> \
      --from-file=tls.crt=<path_to_certificate> \
      --from-file=tls.key=<path_to_key>
  6. Install the IBM Operator Catalog Source.
    1. Create a file called ibmCatalogSource.yaml.
    2. Paste the following text into the file. 
      apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
    name: ibm-operator-catalog
    namespace: openshift-marketplace
spec:
    displayName: ibm-operator-catalog
    publisher: IBM Content
    sourceType: grpc
    image: icr.io/cpopen/ibm-operator-catalog
    updateStrategy:
        registryPoll:
            interval: 45m
    3. Create the IBM Operator catalog source by typing the following command. 
      oc apply -f ibmCatalogSource.yaml
    4. Verify that the pod is running in the openshift-marketplace namespace by typing the following command. 
      oc get pod -lolm.catalogSource=ibm-operator-catalog -n openshift-marketplace
  7. Install the QRadar Suite Software Operator.
    1. Create a file called operatorGroup.yaml.
    2. Paste the following text into the file. 
      apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
     name: cp4s-operator-group
     namespace: <cp4s_namespace>
spec:
     targetNamespaces:
          - <cp4s_namespace>
    3. Create the QRadar Suite Software operator group by typing the following command. 
      oc apply -f operatorGroup.yaml
    4. Verify that the QRadar Suite Software operator group is created by typing the following command. 
      oc get og cp4s-operator-group -n $CP4S_NAMESPACE
    5. Create a file called subscription.yaml.
    6. Paste the following text into the file. Replace <operators_namespace> with either your QRadar Suite Software namespace for an isolated mode installation, or with openshift-operators for an installation where the QRadar Suite Software operators are available to all namespaces in the cluster. 
      apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
     name: ibm-cp-security-operator
     namespace: <operators_namespace>
spec:
     channel: v1.10
     installPlanApproval: Automatic
     name: ibm-cp-security-operator
     source: ibm-operator-catalog
     sourceNamespace: openshift-marketplace
    7. Create the QRadar Suite Software operator by typing the following command. 
      oc apply -f subscription.yaml
      After a few seconds, the QRadar Suite Software is installed.
    8. Verify that the ClusterServiceVersion (CSV) for the operator is installed by typing the following command. Replace <operators_namespace> with either your QRadar Suite Software namespace or openshift-operators, according to your namespace choice used to apply the Operator Subscription in the previous step. 
      oc get csv -n <operators_namespace> | grep ibm-cp-security-operator
      Wait until the output of this command shows Succeeded before you proceed to the next step.
    9. Verify that the operator is running by typing the following command. 
      oc get pod -A -lname=ibm-cp-security-operator
  8. Install QRadar Suite Software Threat Management.
    1. Create a file called cp4sThreatManagement.yaml.
    2. Paste the following text into the file. Replace <username> with the username of the initial admin user and <cp4s_namespace> with your QRadar Suite Software namespace. 
      apiVersion: isc.ibm.com/v2
kind: CP4SThreatManagement
metadata:
    name: threatmgmt
    namespace: <cp4s_namespace>
spec:
    license:
        accept: true
    basicDeploymentConfiguration:
        adminUser: <username>
        domain: ""
        storageClass: ""
    extendedDeploymentConfiguration:
        airgapInstall: false
        clusterProxy: false
        backupStorageClass: ""
        backupStorageSize: ""
        imagePullPolicy: IfNotPresent
        repository: cp.icr.io/cp/cp4s
        repositoryType: entitled
        roksAuthentication: false
        CSNamespace: ibm-common-services
    threatManagementCapabilities:
        deployDRC: true
        deployRiskManager: true
        deployThreatInvestigator: true
    3. Use the information in the following table to set the parameters in cp4sThreatManagement.yaml.
      Table 2. QRadar Suite Software installation parameters
      Parameter Description Do you need to update this parameter?
      adminUser The user that is to be given administrator privileges in the QRadar Suite Software System Administration account after installation. Specify a username or an email address that exists in your identity provider. Yes
      airgapInstall Set to false. No
      clusterProxy Set to true if you are installing in a cluster that is using a cluster-wide proxy. Set to false if you are not installing in a cluster that is using a cluster-wide proxy.

      Cluster-wide proxy is not supported in a disconnected environment.

      		 No, unless you are installing in a cluster that is using a cluster-wide proxy.
      domain The fully qualified domain name (FQDN) created for QRadar Suite Software. If you don't specify an FQDN, it is generated as cp4s.<cluster_ingress_subdomain>. No, unless you want or specify your own FQDN.
      storageClass The provisioned block or file storage class for all the PVCs required by QRadar Suite Software. When it is not specified, the default storage class is used. For more information, see Storage requirements. No, unless you are using a storage class other than the default storage class for the cluster.
      backupStorageClass Storage class for the backup and restore pod. If this value is not set, QRadar Suite Software takes the value from the storageClass parameter. No, unless you are using a different storage class for the backup and restore pod than you set for the storageClass parameter.
      backupStorageSize The storage size for the backup and restore PVC. Must be 500Gi or higher. No, unless you need the storage size for the backup and restore pod to be greater than 500 Gi.
      imagePullPolicy The pull policy for the images. When Red Hat OpenShift creates containers, it uses the imagePullPolicy to determine whether to pull the container image from the registry before starting the container. Options are Always, IfNotPresent, or Never. No
      repository The IBM Entitled Registry from which the images are pulled. Must be set to cp.icr.io/cp/cp4s. No
      roksAuthentication Enable ROKS authentication. Only supported in IBM Cloud. No, unless you're using ROKS authentication in an IBM Cloud environment.
      deployDRC Set to false to skip deployment of Detection and Response Center. No, unless you don't want to deploy Detection and Response Center.
      deployRiskManager Set to false to skip deployment of IBM Security Risk Manager. No, unless you don't want to deploy IBM Security Risk Manager.
      deployThreatInvestigator Set to false to skip deployment of Threat Investigator. No, unless you don't want to deploy Threat Investigator.
      CSNamespace The namespace where foundational services will be installed. The default is ibm-common-services.
      Warning: Do not install foundational services in the same namespace as QRadar Suite Software. If you are installing QRadar Suite Software operators in the all NamespaceMode, do not customize the namespace.
      		 No, unless you are installing in the ownNamespacesMode and want to install foundational services in a custom namespace or an existing QRadar Suite Software installation in your cluster uses foundational services in a custom namespace.
    4. Create the QRadar Suite Software Threat Management by typing the following command. 
      oc apply -f cp4sThreatManagement.yaml
    Important: Installation takes approximately 1.5 hours. When installation is complete, the latest version of IBM Cloud Pak foundational services, and QRadar Suite Software 1.10.17 are installed.
  9. Verify QRadar Suite Software installation by typing the following command. 
    oc get CP4SThreatManagement threatmgmt -n $CP4S_NAMESPACE -o jsonpath='{.status.conditions}'

Results

The following message is displayed when installation is complete. 
[{"lastTransitionTime":"<timestamp>","message":"Cloudpak for Security Deployment is successful","reason":"Deployment is complete","status":"True","type":"Success"}]%

If the following message is displayed, follow the instructions in SOAR playbooks not available or SOAR automation limited to resolve the issue.

[{"lastTransitionTime":"<timestamp>","message":"SOAR automation functionality will be limited","reason":"Knative not Deployed","status":"True","type":"Degraded"}]%

What to do next

Postinstallation tasks