Setting up certificate-based authentication on QRadar

In TLS over TCP communication between IBM® Disconnected Log Collector and IBM QRadar®, certificate-based communication is used to establish a chain of trust in which hardware and software is validated from the end entity to the root certificate.

Before you begin

This setup is completed by IBM QRadar on Cloud DevOps team and is completed only for the first Disconnected Log Collector (DLC). Adding additional DLCs do not require a support ticket so long as you continue to use the same CA.

Important: If multiple Disconnected Log Collectors exist in the environment, perform the following steps only once on the QRadar system that the Disconnected Log Collector connects to.

Procedure

  1. In the QRadar on Cloud Self Serve app, update the Allow List with the egress IP address of the DLC.
  2. Open a Customer Support ticket and do the following:
    1. Request a TLS syslog certificate. Certificates that are provided by QRadar on Cloud are signed by a Certificate Authority.
    2. Attach the rootCA.crt in pem format.
    The IBM QRadar on Cloud DevOps team updates the ticket with the following information:
    • Key Store File Name
    • Key Store File Password
    • Trust Store File Path
    • Trust Store Password

Results

You can configure the Disconnected Log Collector log source on QRadar by using the dlc-server.pfx file that you created.

What to do next

Setting up TLS over TCP communication with QRadar