In TLS over TCP communication between IBM
Disconnected Log Collector and IBM
QRadar,
certificate-based communication is used to establish a chain of trust in which hardware
and software is validated from the end entity to the root certificate.
Before you begin
You must have a root certificate that was issued by a trusted certificate authority (CA).
Typically, you use the same root certificate on the Disconnected Log
Collector and QRadar systems. Ensure that the
root certificate has a meaningful name, such as root-ca.cer.
About this task
Every certificate has a validity period (a date range) during which it can be used to establish
secure communications. After the validity period ends, the certificate expires and must be
replaced.
Procedure
-
Log in to the Disconnected Log
Collector computer
or VM as the root user.
-
Copy the root certificate to the /etc/pki/ca-trust/source/anchors
directory and run the following command to update the default truststore:
update-ca-trust
Note: For Ubuntu, copy the root certificate to the
/usr/local/share/ca-certificates directory and run the following command to
update the default truststore:
update-ca-certificates
-
Generate a client certificate signing request (CSR) by typing the following command:
/opt/ibm/si/services/dlc/current/script/generateCertificate.sh -csr (-2k | -4k)
The -2k option represents a 2048-bit key, and -4k
represents a 4096-bit key. Choose the key size value for the certificate according to the
requirements of your organization.
For
example:
/opt/ibm/si/services/dlc/current/script/generateCertificate.sh -csr -2k
- Enter values for the following parameters.
- Enter a two letter code for your country name or leave it blank.
- Enter a state or province or leave it blank.
- Enter a city name or leave it blank.
- Enter your organization name.
- Enter your organizational unit.
The file is saved as
/opt/ibm/si/services/dlc/keystore/<UUID>/dlc-client.key,
where UUID is an identifier that is unique to the Disconnected Log
Collector instance.
Tip: Make note of the UUID identifier that is unique to the Disconnected Log
Collector instance. The identifier is the
/opt/ibm/si/services/dlc/keystore/<UUID> folder name.
You'll need the UUID when you configure the Disconnected Log
Collector protocol in QRadar.
-
Submit the CSR to your internal or commercial certificate authority for signing, according to
their instructions.
The procedure might involve opening the CSR file and copying a block of encoded text that is
contained between the BEGIN and END markers.
Important: You must have a private certificate authority to sign the certificate for
Disconnected Log
Collector. If you don’t already have one
as part of your company infrastructure, you can create one. For example, Easy-RSA is a publicly
available tool that you can use to create a certificate authority. For more information, see
Easy-RSA
(https://github.com/OpenVPN/easy-rsa).
-
Copy the returned client certificate to the /tmp directory or your
preferred location.
- Ensure the client certificate is in PEM (Base64 ASCII) format. If the certificate is in
DER (binary) format, convert it to PEM format by typing the following command:
openssl x509 -inform der -in <certificate_file_name>.der -out <certificate_file_name>.pem
The PEM file contains a block of encoded text that is contained between the BEGIN
and END markers.
-
Convert the client certificate to PKCS#12 format by typing the following command, and choose a
secure password when prompted:
/opt/ibm/si/services/dlc/current/script/generateCertificate.sh -p12
/tmp/<signed_certificate_file_name>
A generated personal exchange format (PFX) file is saved as
/opt/ibm/si/services/dlc/keystore/dlc-client.pfx and the required PFX
information is stored in the /opt/ibm/si/services/dlc/conf/config.json
file.
-
Restart Disconnected Log
Collector by typing the
following command: