Starting with QRadar
7.5.0 Update Package 6 (UP6) the kernel modules
contained in the SFS are signed using a new certificate. Therefore, any EFI firmware host with
Secure Boot enabled that is patched to UP6 or later fails to load the new kernel modules due to the
missing public key on the system keyring and might cause the host to become unresponsive. To avoid
this problem, you must import the IBM public key contained on the SFS into the system keyring before
patching.
Before you begin
On the console download and mount the SFS to the patching mount point. For example,
/media/updates.
About this task
The IBM public key is available on the root of the SFS, using the above mount point the
path would be: /media/updates/ibm_public_key.cer.
Procedure
- Import and enroll the key on the console by completing the following steps:
- Import the public key by using the command: mokutil --import
/media/updates/ibm_public_key.cer.
You are required to enter a password to be
used during the MOK manager phase.
When prompted, enter and reenter a password. This password is used during the MOK manager screens
when the system is rebooted.
- From the console terminal, do not use an SSH session, reboot
the host. During the boot the MOK manager window appears, you have only10 seconds to press a key to
enter the MOK manager. If the MOK manager window disappears without enrolling the key the system
continues to boot and the public key is not enrolled into the system keyring and you must begin this
procedure again to import and reboot. See Importing and Enrolling the public key section for details
on the MOK manager screen.
- After enrolling the public key the system continues the boot
process. Once the system is ready you can verify the key is enrolled, see Step 3 of Enabling
secure boot.
- To import and enroll the key on the rest of your deployment complete the following
steps:
- From the console copy the public key to all hosts in the deployment using
all_servers:
/opt/qradar/support/all_servers.sh -Ckp /media/updates/ibm_public_key.cer
The key is stored on each host under the path:
/storetmp/ibm_public_key.cer.
- Use SSH to import the key to be enrolled using the command:
mokutil --import /storetmp/ibm_public_key.cer
- Once the key is imported follow the steps 1.b and 1.c.