Setting up certificate-based authentication for HTTP Receiver
Deprecated When you use the HTTP Receiver protocol, you must use a certificate that is issued by a certificate authority (CA). It can't be a self-signed certificate because it must be validated by a CA.
About this task
When you create a new log source in QRadar® by using the HTTP Receiver protocol, use the Choose from QRadar Certificate Store or the PKCS12 Certificate Chain and Password option when you configure the Server Certificate parameter.
Before you begin
If you have a private key and certificate instead of a PKCS12 certificate, you must complete the following steps to convert them to a PKCS12 certificate:
- Locate the endpoint certificate private key, which is in PKCS1 encoding in PEM format. The file
is called certificate.key. The private key must begin with BEGIN RSA
PRIVATE KEY and end with END RSA PRIVATE KEY. Tip: If your key is in PEM format but begins with a BEGIN PRIVATE KEY header instead of BEGIN RSA PRIVATE KEY, then it is in PKCS8 encoding and must be converted to PKCS1 encoding before you continue.
- Locate the certificate chain in PEM format, with each certificate appended in the following
order in the chain.crt file. The endpoint certificate must be first, then
followed by one or more intermediate certificates as needed. Important: If your certificate is issued directly by a Root CA, you must provide only the endpoint certificate.
- Create the PKCS12 certificate with the certificate.key and
chain.crt files by running the following command:
openssl pkcs12 -export -out myserver.mycompany.net.p12 -inkey certificate.key -in chain.crt
- Create an export password to protect the private key in the PKCS12 container. The password is used to import the certificate into the QRadar keystore.
- Verify the details of the certificate by running the following command:
keytool -list -v -keystore myserver.mycompany.net.p12 -storetype PKCS12
- Back up the existing syslog-tls.keystore by running the following
mv /opt/qradar/conf/syslog-tls.keystore /opt/qradar/conf/syslog-tls.keystore.orig
- Re-create the syslog-tls.keystore with the contents of the
myserver.mycompany.net.p12 PKCS12 certificate by running the following
keytool -v -importkeystore -srckeystore myserver.mycompany.net.p12 -srcstoretype PKCS12 -destkeystore /opt/qradar/conf/syslog-tls.keystore -deststoretype JKSImportant: You are prompted to enter your source keystore password and then your destination keystore password. The source keystore password is the export password that you created in step 4 in the Before you begin section. When you are prompted for the destination keystore password, you must use syslog-tls because it is the expected password for this keystore file.
- Rename the alias 1 to be called syslog-tls
by running the following command:
keytool -changealias -keystore /opt/qradar/conf/syslog-tls.keystore -alias 1 -destalias syslog-tls
- Verify that the certificate was imported successfully by running the following
keytool -list -v -keystore /opt/qradar/conf/syslog-tls.keystore
Keystore type: jks Keystore provider: IBMJCE Your keystore contains 1 entry Alias name: syslog-tls Creation date: May 25, 2022 Entry type: keyEntry Certificate chain length: 3 Certificate: