New in 5.0 Before you
configure the IBM®
QRadar® SOAR Plug-in 5.0 app, you
must copy the SOAR CA certificates
to the QRadar Console to allow access to
the SOAR inbound
destinations.
Before you begin
If you connect to an IBM Security SOAR for IBM Cloud Pak® for Security (CP4S) instance, ensure that
DNS mapping for the IP address that is associated with the CP4S cluster and its domain name is
configured. Provide this information for both the QRadar Console and the QRadar SOAR Plug-in container. You must provide
the IP address and hostnames of the CP4S cluster, and the cases-rest
,
cases-stomp
, and cases-openwire
endpoints.
Procedure
-
To configure CA certificates for IBM Security SOAR Platform, follow these steps:
-
Using SSH, log in to the QRadar Console as the root user.
-
Type the following command to change directories.
cd /opt/qradar/conf/trusted_certificates
-
Install the SOAR certificate
by typing this command:
/opt/qradar/bin/getcert.sh <IP_or_Hostname_of_SOAR> <Port_of_the_SOAR_incoming_queue>
For example, the command might look similar to this one, /opt/qradar/bin/getcert.sh
mysoar.ibm.com 65000
.
-
Restart the QRadar event
collection service by typing this command:
-
To configure CA certificates for a SOAR for IBM Cloud Pak for
Security instance, follow these
steps:
-
Open the Red Hat OpenShift Container Platform console for the cluster where CP4S
installed.
-
In the navigation page, select .
-
Select Project: All Projects and search for
cases-openwire.
-
Click the cases-openwire route to open the Route
details window.
-
Under TLS settings, copy the value in the
Certificate field and save it to a .crt file.
For example, you can name the .crt file similar to this one:
<hostname>_cases_openwire_ca.crt.
Note:
If the Certificate value is empty, find the
certificate value in the Workloads settings.
- In the navigation window, select .
- Search for isc-cases-openwire-default-cert or
isc-cases-stomp-default-cert.
The certificate content is in the
Data section.
-
Copy the .crt file to the
/opt/qradar/conf/trusted_certificates location on the QRadar Console.
-
Restart the QRadar event
collection service by typing this command:
What to do next
After you configure access to the inbound destinations, create an authorized service
token to authenticate the API calls that are made by SOAR.