Setting up certificate-based authentication for HTTP Receiver

Deprecated When you use the HTTP Receiver protocol, you must use a certificate that is issued by a certificate authority (CA). It can't be a self-signed certificate because it must be validated by a CA.

About this task

Important: The instructions in this task apply only when you use the Self-signed Generated Certificate option for the Server Certificate. The Self-signed Generated Certificate option is deprecated.

When you create a new log source in QRadar® by using the HTTP Receiver protocol, use the Choose from QRadar Certificate Store or the PKCS12 Certificate Chain and Password option when you configure the Server Certificate parameter.

Before you begin

Before you import a PKCS12 file to use with the HTTP Receiver, you need a PKCS12 file that includes the certificate private key, endpoint certificate, and any intermediate certificates that are needed. Root CAs can be included in the chain but are not mandatory.

If you have a private key and certificate instead of a PKCS12 certificate, you must complete the following steps to convert them to a PKCS12 certificate:

  1. Locate the endpoint certificate private key, which is in PKCS1 encoding in PEM format. The file is called certificate.key. The private key must begin with BEGIN RSA PRIVATE KEY and end with END RSA PRIVATE KEY.
    Tip: If your key is in PEM format but begins with a BEGIN PRIVATE KEY header instead of BEGIN RSA PRIVATE KEY, then it is in PKCS8 encoding and must be converted to PKCS1 encoding before you continue.
  2. Locate the certificate chain in PEM format, with each certificate appended in the following order in the chain.crt file. The endpoint certificate must be first, then followed by one or more intermediate certificates as needed.
    Important: If your certificate is issued directly by a Root CA, you must provide only the endpoint certificate.
  3. Create the PKCS12 certificate with the certificate.key and chain.crt files by running the following command:
    openssl pkcs12 -export -out myserver.mycompany.net.p12 -inkey certificate.key -in chain.crt
  4. Create an export password to protect the private key in the PKCS12 container. The password is used to import the certificate into the QRadar keystore.
  5. Verify the details of the certificate by running the following command:
    keytool -list -v -keystore myserver.mycompany.net.p12 -storetype PKCS12
You can now import the PKCS12 certificate to use with HTTP Receiver.

Procedure

  1. Back up the existing syslog-tls.keystore by running the following command:
    mv /opt/qradar/conf/syslog-tls.keystore /opt/qradar/conf/syslog-tls.keystore.orig
  2. Re-create the syslog-tls.keystore with the contents of the myserver.mycompany.net.p12 PKCS12 certificate by running the following command:
    keytool -v -importkeystore -srckeystore myserver.mycompany.net.p12 -srcstoretype PKCS12 -destkeystore /opt/qradar/conf/syslog-tls.keystore -deststoretype JKS
    Important: You are prompted to enter your source keystore password and then your destination keystore password. The source keystore password is the export password that you created in step 4 in the Before you begin section. When you are prompted for the destination keystore password, you must use syslog-tls because it is the expected password for this keystore file.
  3. Rename the alias 1 to be called syslog-tls by running the following command:
    keytool -changealias -keystore /opt/qradar/conf/syslog-tls.keystore -alias 1 -destalias syslog-tls
  4. Verify that the certificate was imported successfully by running the following command:
    keytool -list -v -keystore /opt/qradar/conf/syslog-tls.keystore

Results

With a successfully imported certificate, the keystore file contains one key with the syslog-tls alias. The chain length varies depending on the certificate. The following example shows what a successful import looks like:
Keystore type: jks
Keystore provider: IBMJCE

Your keystore contains 1 entry

Alias name: syslog-tls
Creation date: May 25, 2022
Entry type: keyEntry
Certificate chain length: 3
Certificate[1]: