Configuring an App Host on IBM Cloud

Configure an IBM QRadar App Host on IBM Cloud instance by using the provided IBM Cloud image.

Before you begin

You must acquire entitlement to a QRadar Software Node before you deploy the QRadar instance. To acquire entitlement to a QRadar Software Node, contact your QRadar Sales Representative.

For any issues with QRadar software, engage IBM® Support. If you experience any problems with IBM Cloud® infrastructure, refer to IBM Cloud documentation (https://cloud.ibm.com/docs). If IBM Support determines that your issue is caused by the IBM Cloud infrastructure, you must contact IBM Cloud for support to resolve the underlying issue.

About this task

You must use static IP addresses.

You cannot have more than two DNS entries. QRadar installation fails if you have more than two DNS entries in the /etc/resolv.conf file.

If you are installing a data gateway for QRadar on Cloud, go to Installing a QRadar data gateway in IBM Cloud (https://www.ibm.com/docs/en/SSKMKU/com.ibm.qradar.doc/t_hosted_IBM_Cloud.html).

Procedure

Download the .vhd image file.
1. Go to the CLOUD MARKET PLACE section of Fix Central (https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar®+SIEM&release=7.4.0&platform=Linux®&function=all).
2. Click 7.4.1-CMP-IBMCloud-APPHOST-QRADAR-20200716115107.
3. Download the .vhd and .sig files.
  The .vhd file download can take several hours.
Upload the .vhd image file.
1. Go to IBM Cloud (https://cloud.ibm.com/) and create a new storage bucket.
  You need the location that is used by your storage bucket, and the IBM Cloud API Key for your storage bucket, in step 3.
2. Upload the .vhd file.
  The upload can take up to an hour. Do not rename the .vhd file. Renaming the file causes the import to fail.
Configure network settings and create the instance.
1. Click Navigation Menu () > Classic Infrastructure > Manage > Images.
2. In the Visibility menu, select Private images and find the image that you uploaded.
3. Click Actions menu () > Order Public VSI.
4. Select the Public Multi-tenant virtual server type.
5. Enter a hostname and domain. The combined character count of the hostname and domain cannot exceed 64 characters.
6. Select a data center location.
7. Select a profile that meets the system requirements for virtual appliances.
  
  Important: Profiles from the Balanced local storage family are not supported.
8. Select an SSH key if you have one. Otherwise, select None.
9. Choose an uplink port speed under Public & Private network uplinks.
  You can choose to deploy either a public machine or a private machine. The network configuration of this host must match your Console. If your Console is public, this host must also be public. If your Console is private, this host must also be private.
  - Public machines have a public IP address and a private IP address, and they are accessible from the internet. You must use the public IP address to attach this host to your Console in step 8 d.
  - Private machines have only a private IP address, and can only be accessed within the same network, or through a routing solution of your own choosing. You need both the routed public IP address and the private IP address to attach this host to your Console in step 8 d.
10. Select allow_all and allow_outbound for a private security group. If you are deploying a public machine, select allow_all and allow_outbound for a public security group too.
  In a QRadar deployment with multiple appliances, many ports must be allowed between managed hosts. For more information about what ports might need to be allowed in your deployment, see Common ports and servers used by QRadar. Restrict ports that are not needed by using a firewall or other technology that allows you to restrict ports.
11. Accept the third-party service agreements and click Create.
The Devices screen loads. In a few minutes, a date appears in the Start Date field.
After the instance has a Start Date, configure storage for the instance.
1. Click Navigation Menu () > Classic Infrastructure > Block Storage.
2. In the Portable storage section, click Order Portable Storage.
3. Select the same Region, Location, and Zone for your portable storage that your instance is in.
4. Enter a description for your portable storage.
5. Estimate your storage needs and enter a size for the second disk in GB.
  The minimum size is 250 GB. The added disk must be the second disk. It cannot be the third or greater disk.
  When the installation is complete, this disk contains the /store and /transient partitions.
  
  Warning: You cannot increase storage after installation.
6. Accept the service agreement and click Create.
Attach storage to your instance.
1. Click Navigation Menu () > Classic Infrastructure > Block Storage.
2. In the Portable storage section, find the disk that you created and click Actions menu () > Attach.
3. Find the instance that you created and click Attach.
4. Accept the warning that the virtual server will be shut off during disk attachment and click Attach.
The second disk is added and the instance restarts. This process takes several minutes.
Install the App Host and set the admin password.
1. When the instance is ready, log in by typing the following command:
```
ssh root@<public_IP_address>
```
  If you are not using an SSH key, you are prompted to enter the root password. This password is provided in your instance details.
  
  If you deployed a private-only host, you will not be able to SSH directly to the host. You must first connect to a router that allows access to the host.
2. To install the App Host, type the following command:
```
sudo /root/setup_apphost
```
3. The system prompts you to set the root password. Set a strong password that meets the following criteria.
  - Contains at least 5 characters
  - Contains no spaces
  - Includes one or more of the following special characters: @, #, ^, and *.
4. Update the license file to address the issue described in APAR IJ30161 (https://www.ibm.com/support/pages/apar/IJ30161) by typing the following command:
```
echo -n “QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20” | tee /opt/qradar/ecs/license.txt /opt/ibm/si/services/ecs-ep/current/eventgnosis/license.txt /opt/ibm/si/services/ecs-ec-ingress/current/eventgnosis/license.txt /opt/ibm/si/services/ecs-ec/current/eventgnosis/license.txt /usr/eventgnosis/ecs/license.txt /opt/qradar/conf/templates/ecs_license.txt
```
  It takes approximately 5 minutes for the changes to complete.
5. Restart your instance by typing the following command:
```
reboot
```
Add the host to your deployment in QRadar.
1. On the navigation menu ( ), click Admin.
2. In the System Configuration section, click System and License Management.
3. In the Display list, select Systems.
4. On the Deployment Actions menu, click Add Host.
5. Configure the settings for the App Host by providing the public IP address, and the root password to access the operating system shell on the appliance.
  - For a public host, provide the public IP address, and the root password to access the operating system shell on the appliance.
  - For a private host, provide the private IP address and the root password. If your host is in a different network from your Console, select NAT. Select or create a NAT group for non-Consoles and provide the public IP address that you routed to the host.
6. Click Add.
7. Optional: Use the Deployment actions > View Deployment menu to see visualizations of your deployment. You can download a PNG image or a Microsoft Visio (2010) VDX file of your deployment visualization.
8. On the Admin tab, click Advanced > Deploy Full Configuration.
  
  Important: QRadar continues to collect events when you deploy the full configuration. When the event collection service must restart, QRadar does not restart it automatically. A message displays that gives you the option to cancel the deployment and restart the service at a more convenient time.
Change where your apps are run in QRadar.
1. On the System and License Management screen, click the Click to change where apps are run link.
2. Click App Host to transfer apps to the App Host.
  
  Note: The more apps and app data you have, the longer the transfer takes.