Configuring an App Host on IBM Cloud VPC

Configure an IBM QRadar App Host on an IBM Cloud® VPC Server instance by using the IBM Cloud VPC image on Fix Central.

Before you begin

You must acquire entitlement to a QRadar Software Node before you deploy the QRadar instance. To acquire entitlement to a QRadar Software Node, contact your QRadar Sales Representative.

For any issues with QRadar software, engage IBM® Support. If you experience any problems with IBM Cloud VPC infrastructure, refer to IBM Cloud VPC documentation (https://cloud.ibm.com/docs). If IBM Support determines that your issue is caused by the IBM Cloud VPC infrastructure, you must contact IBM Cloud for support to resolve the underlying issue.

About this task

If you are installing a data gateway for QRadar on Cloud, go to Installing a QRadar data gateway in IBM Cloud (https://www.ibm.com/docs/en/SSKMKU/com.ibm.qradar.doc/t_hosted_IBM_Cloud_VPC.html).

You must use static IP addresses.

If you deploy a managed host and a Console in the same virtual network, use the private IP address of the managed host to add it to the Console.

If you deploy a managed host and a Console in different virtual networks, you must allow firewall rules for the communication between the Console and the managed host. For more information, see QRadar® port usage.

Procedure

  1. Download the .qcow2 image file.
    1. Go to the CLOUD MARKET PLACE section of Fix Central (https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.4.0&platform=Linux®&function=all).
    2. Click 7.4.3-CMP-IBMCloudVPC-APPHOST-QRADAR-20220329114452.
    3. Download the .qcow2 and .sig files.
      The .qcow2 file download can take several hours.
    4. Use the .sig file to verify the integrity of the .qcow2 file.
  2. Upload the .qcow2 image file.
    1. Go to IBM Cloud (https://cloud.ibm.com/) and create a new storage bucket.
      You need the location that is used by your storage bucket in step 3.
    2. Upload the .qcow2 file.
      The upload can take up to an hour. Do not rename the .qcow2 file. Renaming the file causes the import to fail.
  3. Import the .qcow2 file.
    1. In IBM Cloud, click Navigation Menu > VPC Infrastructure > Custom images.
    2. Click Create.
    3. Enter a name for the image and select a Resource group for the image to belong to.
    4. Set the Source to Cloud Object Storage.
    5. Select the Cloud Object Storage service instance, the location that is used by your storage bucket, your storage bucket, and the .qcow2 file that you uploaded.
      Note: If you want to import your image into multiple regions, you will have to repeat step 2 and create a new storage bucket in each desired region.
    6. Set the Operating system to Red Hat Enterprise Linux, and set the Version to red-7-amd64-byol.
    7. Click Create custom image.
      The import can take up to 10 minutes.
  4. After the image status is Available, create the instance.
    1. Click Navigation Menu > VPC Infrastructure > Virtual Server Instances.
    2. Click Create +.
    3. Set the Architecture to Intel.
    4. Set the Hosting type to Public.
    5. Set the location to the same region that you imported your image to in step 3.
    6. Give your instance a name that doesn't exceed 57 characters.
      The name can contain only alphanumeric characters and the - symbol.
    7. Select a Resource group for the instance.
    8. If you would like an easier way to identify your instance, enter a tag for your instance.
    9. Set the Operating system to Custom image.
      The Select custom image window appears.
    10. Choose the image that you imported in step 3, then click Select.
    11. Click View all profiles.
      The Select an instance profile window appears.
    12. Select a profile that meets the system requirements for virtual appliances, then click Save.
      Important: Instances that use Instance storage are not supported.
    13. Select or create an SSH key pair.
      You need an SSH key pair to access the instance by using SSH.
    14. In the Data volumes section, click Create +.
    15. Enter a Name for the second disk.
    16. Estimate your storage needs and enter a size for the second disk in GB.
      The minimum size is 250 GB. The added disk must be the second disk. It cannot be the third or greater disk.

      When the installation is complete, this disk contains the /store and /transient partitions.

      Warning: You cannot increase storage after installation.
    17. Select a profile, set the IOPS, and click Create.
    18. Select a Virtual private cloud.
    19. In the Network interfaces section, click the Edit icon next to eth0.
    20. Leave the interface set to eth0 and select a Subnet.
    21. Set Reserving method to Let me specify and select a reserved private IP address from your subnet.
      This IP address will be the private IP address associated with your instance.
    22. Select a security group that allows ports 22 and 443 only from trusted IP addresses, then click Save.
      In a QRadar deployment with multiple appliances, other ports might also be allowed between managed hosts. For more information about what ports might need to be allowed in your deployment, see c_qradar_adm_ports_and_servers.html.
    23. Click Create Virtual Server.
  5. When the instance status says Running, assign a floating IP address to your instance.
    1. Click on the instance that you created.
    2. In the Network interfaces section, click the Edit icon next to eth0.
    3. Select an IP address or Reserve a new floating IP from the Floating IP address dropdown, then click Save.
  6. Install the App Host and set the root password.
    1. When the floating IP address is assigned, log in by typing the following command:
      ssh -i <private_key> cloud-user@<public_IP_address>
    2. To install the App Host, type the following command:
      sudo /root/setup_apphost
    3. The system prompts you to set the root password. Set a strong password that meets the following criteria.
      • Contains at least 5 characters
      • Contains no spaces
      • Includes one or more of the following special characters: @, #, ^, and *.
  7. Add the host to your deployment in QRadar.
    1. On the navigation menu ( Navigation menu icon ), click Admin.
    2. In the System Configuration section, click System and License Management.
    3. In the Display list, select Systems.
    4. On the Deployment Actions menu, click Add Host.
    5. Configure the settings for the host by providing the fixed IP address, and the root password to access the operating system shell on the appliance.
    6. Click Add.
    7. Optional: Use the Deployment actions > View Deployment menu to see visualizations of your deployment. You can download a PNG image or a Microsoft Visio (2010) VDX file of your deployment visualization.
    8. On the Admin tab, click Advanced > Deploy Full Configuration.
      Important: QRadar continues to collect events when you deploy the full configuration. When the event collection service must restart, QRadar does not restart it automatically. A message displays that gives you the option to cancel the deployment and restart the service at a more convenient time.
  8. Change where your apps are run in QRadar.
    1. On the System and License Management screen, click the Click to change where apps are run link.
    2. Click App Host to transfer apps to the App Host.
      Note: The more apps and app data you have, the longer the transfer takes.