By default, IBM
QRadar is configured with a
Security Sockets Layer (SSL) certificate that is signed by an internal CA. When you log in to the
Console for the first time, you are prompted with a warning message that your connection is not
secure or is not private. You can replace the SSL certificate with your own self-signed certificate,
a private certificate authority (CA) signed certificate, or a public CA signed certificate.
Before you begin
You must have the following information:
If you use a DER formatted certificate, you must convert it to a PEM formatted certificate by
typing the following command:
openssl x509 -in <cert>.der -inform der -outform pem -out <cert>.pem
Tip: A more efficient method for uploading a root CA is to use the Certificate
Management app. For more information see,
Certificate
Management(https://www.ibm.com/docs/en/qsip/7.5?topic=apps-radar-certificate-management).
Procedure
- If you are installing a certificate that was not generated by QRadar® or reinstalling an overwritten certificate that was not generated by QRadar, disable the CA framework from monitoring and automatically replacing the certificate. Edit the /opt/qradar/ca/conf.d/httpd.json file and set the CertSkip property to true.
For example:
{
"ServiceName": "httpd",
"CertDir": "/etc/httpd/conf/certs",
"CertName": "cert",
"ServiceCommand": "/opt/qradar/bin/install-ssl-cert.sh --deploy",
"CASkip": "true",
"CertSkip": "true",
}
- If the certificate was issued by an internal certificate authority and not a commercial
certificate provider, the CA's root and intermediate certificates are required for a full chain of
trust validation. Copy the CA's root certificate and, if needed, the intermediate certificates, to
/etc/pki/ca-trust/source/anchors/ and then run the following command:
update-ca-trust
Repeat this step on all managed hosts.
-
Use SSH to log in to the QRadar Console as the root
user. Install the certificate by entering the following command:
/opt/qradar/bin/install-ssl-cert.sh
- At the Path to Public Key File (SSLCertificateFile) prompt, enter the path to the
Public Key File. For example:
/root/new.certs/cert.cert
- At the Path to Private Key File (SSLCertificateKeyFile) prompt, enter the path to the
Private Key File. For example:
/root/new.certs/qradar.key
Example
output:
You have specified the following:
SSLCertificateFile of /root/new.certs/cert.cert
SSLCertificateKeyFile of /root/new.certs/qradar.key
Re-configure Apache now (includes restart of httpd) (Y/[N])? y
Backing up current SSL configuration ... (OK)
Installing user SSL certificate ... (OK)
Reloading httpd configuration:
- Restarting httpd service ... (OK)
Restarting running services:
- Stopping hostcontext ... (OK)
- Restarting Tomcat ... (OK)
- Starting hostcontext ... (OK)
Updating deployment:
- Copying certificate to managed hosts
* 192.0.2.0 ...... (OK)
- Restarting hostcontext on managed hosts
* 192.0.2.0 ...... (OK)
The event collection service must be restarted if WinCollect is used in your environment. Restart the event collection service now (y/[n])? y
- Restarting ecs-ec-ingress on managed hosts
* 192.0.2.0 ...... (OK)
- Restarting ecs-ec-ingress on console ... (OK)
Fri Jan 17 10:33:42 EST 2020 [install-ssl-cert.sh] OK: Install SSL Cert Completed
Note: Data collection for events and flows stops while services are restarted.
- To reload the SSL certificate, restart the podman container on the host that runs your
applications by running the following command:
Tip: If you are running QRadar 7.5.0 UP8 or
later, you can restart Podman instead of docker by running the following
command:
systemctl restart podman
Results
If the install-ssl-cert.sh script finished with the OK: Install SSL
Cert Completed message, then the certificate was installed successfully. If you answered
y (yes) to the prompt to reconfigure Apache, you don't need to do anything
else. Otherwise, you must deploy the full configuration. On the navigation menu ( 
), click Admin, then click .