Setting up certificate-based authentication on Disconnected Log Collector

In TLS over TCP communication, certificate-based communication is used to establish a chain of trust where hardware and software are validated from the end entity to the root certificate.

Before you begin

You must have a root certificate that is issued by a trusted certificate authority (CA). Typically, you use the same root certificate on the IBM® Disconnected Log Collector and IBM QRadar® systems. Ensure that the root certificate has a meaningful name, such as root-ca.cer.

About this task

Every certificate has a validity period (a date range) during which it can be used to establish secure communications. After the validity period ends, the certificate expires and must be replaced.

Procedure

  1. Use SSH to log in to the Event Collector, Event Processor, or QRadar console that receives events from the Disconnected Log Collector instance.
  2. Copy the root certificate to the /etc/pki/ca-trust/source/anchors directory.
  3. If you're using your own truststore, type the following commands to add the client certificate's CA and the intermediate CA into your own truststore: 
    keytool -import -alias client_root_ca -file client_root_ca.crt -keystore clientca
    keytool -import -alias client_int_ca -file client_int_ca.crt -keystore clientca
    Important:
    • The client_root_ca.crt file must be in X.509 format.
    • Run the second command only if your certificate is signed by an intermediate CA.
  4. If you're using the default truststore, type the following command to update the default truststore: 
    update-ca-trust
  5. To configure the server's certificate signing request (CSR), create a text file with this information: 
    [ default ]
# Change the following line to include the FQDN and IP address of the QRadar console or host
SAN = DNS:<ec.example.com>,IP:<IP_address>
[ req ]
default_bits = 2048                        # RSA key size; change to 4096 if required by your
organization
encrypt_key = no                           # Protect private key
default_md = sha256                        # MD to use
utf8 = yes                                 # Input is UTF-8
string_mask = utf8only                     # Emit UTF-8 strings
prompt = no                                # Prompt for DN
distinguished_name = server_dn             # DN template
req_extensions = server_reqext             # Desired extensions
[ server_dn ]
organizationName = <your_organization_name>
organizationalUnitName = <your_organizational_unit_name>
commonName = <common_name>                 # Should match a listed SAN
[ server_reqext ]
keyUsage = critical,digitalSignature,keyEncipherment
extendedKeyUsage = serverAuth,clientAuth
subjectKeyIdentifier = hash
subjectAltName = $ENV::SAN
  6. Save the text file as /tmp/tls-server.conf or in your preferred location.
  7. Generate a server certificate signing request (CSR) by typing the following command: 
    openssl req -new -config /tmp/tls-server.conf -out /tmp/tls-server.csr -keyout /tmp/tlsserver.key

    A server CSR file is saved in /tmp/tls-server.csr, and a private key file is saved in /tmp/tls-server.key.

  8. Submit the CSR to your internal or commercial certificate authority for signing, according to their instructions.

    The procedure might involve opening the CSR file and copying a block of encoded text that is contained between the BEGIN and END markers.

    Important: You must have a private certificate authority to sign the certificate for Disconnected Log Collector. If you don’t already have one as part of your company infrastructure, you can create one. For example, Easy-RSA is a publicly available tool that you can use to create a certificate authority. For more information, see Easy-RSA (https://github.com/OpenVPN/easy-rsa).
  9. Copy the returned client certificate to the /tmp directory or your preferred location.
  10. Ensure that the client certificate is in PEM (Base64 ASCII) format. If the certificate is in DER (binary) format, convert it to PEM format by typing the following command: 
    openssl x509 -inform der -in <certificate_file_name>.der -out <certificate_file_name>.pem
    Tip: A certificate's file extension does not necessarily indicate the encoding method that is used. For example, a certificate with a .cer extension might have Base-64 or DER encoding. Typically, you choose the encoding method during the certificate request procedure. Search the internet for information about OpenSSL commands that convert certificates from one format to another.
    The PEM file contains a block of encoded text that is contained between the BEGIN and END markers.
  11. If your CA uses an intermediate CA to sign certificates, ensure that the intermediate CA certificate is in PEM (Base64 ASCII) format. If the certificate is in DER (binary) format, convert it to PEM format (see the previous step). Then, append the intermediate CA certificate to the signed server certificate by typing the following command: 
    cat <intermediate_ca_file_name>.pem >> <signed_server_certificate_file_name>.pem
  12. If the store server certificate that you received is not in PKCS#12 format, such as Distinguished Encoding Rules (DER), convert the client certificate to PKCS#12 format. Type the following command, and choose a secure password when prompted: 
    openssl pkcs12 -inkey /tmp/tlsserver.key -in <signed_server_certificate_file_name>.pem -export -out dlc-server.pfx
    A generated personal exchange format (PFX) file is saved as /opt/ibm/si/services/dlc/keystore/dlc-client.pfx. The required PFX information is stored in the /opt/ibm/si/services/dlc/conf/config.json file.
  13. Copy the dlc-server.pfx file to the /opt/qradar/conf/key_stores directory. If the /key_stores folder doesn't exist, create it.

Results

You can configure the Disconnected Log Collector log source on QRadar by using the dlc-server.pfx file that you created.

What to do next

Setting up certificate-based authentication on QRadar