Configuring an SSL certificate

Configure a Secure Sockets Layer (SSL) certificate to build a chain of trust.

About this task

The Server, Intermediate CA, and Root CA certificates for the actual Lightweight Directory Access Protocol (LDAP) server are all required for this procedure. Contact your LDAP administrator to request all of the certificate files in base64 encoded format from the LDAP server.

Procedure

  1. Use SSH to log in to IBM QRadar as a root user.
  2. Copy the SSL LDAP Server certificate to the /opt/qradar/conf/trusted_certificates/ directory.
    Alternatively, you can run the following command: 
    openssl s_client -connect <LDAP Server IP or FQDN>:636 -showcerts </dev/null2>/dev/null | openssl x509 -outform pem > ldap_server.pem
    Important: This command can be used only to extract the LDAP Server certificate. The Intermediate and Root certificates must be provided by the LDAP Server administrator to build the chain of trust.
  3. To ensure that the FQDN in the Server URL field value matches the Subject Alternative Name in the certificate, run the following command: 
    openssl x509 -in/opt/qradar/conf/trusted_certificates/<LDAP Server certificate> -noout -text | grep -A 1'Subject Alternative Name'
    Tip: The FQDN in the Server URL field is case-sensitive. If this value does not match the Subject Alternative Name in the certificate, you can change the FQDN in the Server URL, or you can request a new certificate from the LDAP Server Administrator.
  4. To copy the Root and Intermediate CA certificates to the /etc/pki/ca-trust/source/anchors/ directory, run the following command: 
    cd /etc/pki/ca-trust/source/anchors/
  5. If the chain of trust does not contain an Intermediate certificate, run the following command: 
    openssl verify -CAfile <RootCA certificate> /opt/qradar/conf/trusted_certificates/<LDAPServer certificate>
  6. If the chain of trust contains an Intermediate certificate, run the following command: 
    openssl verify -CAfile <RootCAcertificate> -untrusted <Intermediate CA certificate> /opt/qradar/conf/trusted_certificates/<LDAP Server Cert>
  7. To confirm that the complete chain of trust for the LDAP server was copied, run the following command: 
    openssl verify -CAfile /etc/pki/ca-trust/source/anchors/RootCA.cer /opt/qradar/conf/trusted_certificates/ldap_server.pem /opt/qradar/conf/trusted_certificates/ldap_server.pem: OK
    The returned output is OK.
  8. To add the certificates to the QRadar truststore, run the following command: 
    update-ca-trust

Results

The required certificates are imported into QRadar to be used for SSL configuration. If the chain of trust verification does not report OK, contact the LDAP administrator and verify that all certificates are correct.