Installing a new SSL certificate

By default, IBM QRadar is configured with a Security Sockets Layer (SSL) certificate that is signed by an internal CA. When you log in to the Console for the first time, you are prompted with a warning message that your connection is not secure or is not private. You can replace the SSL certificate with your own self-signed certificate, a private certificate authority (CA) signed certificate, or a public CA signed certificate.

Before you begin

You must have the following information:

  • The newly signed SSLCertificateFile from either your internal CA, or a public one.
  • The qradar.key private key to generate the Certificate Signing Request (CSR) file.
    Restriction: A private key with a passphrase is not supported.
    To remove the passphrase from the certificate key, type the following command:
    openssl rsa -in key-with-passphrase.key -out key-without-passphrase.key
  • An intermediate certificate, if used by your certificate provider.
    Tip: If an intermediate certificate is used, run the install-ssl-cert.sh command with the -i flag to install both the new certificate and the intermediate certificate. When used, it prompts for three file paths:
    • SSLCertificateFile
    • SSLIntermediateCertificateFile
    • SSLCertificateKeyFile

    The file specified as SSLIntermediateCertificateFile must contain the entire certificate chain, including the root CA and intermediate CA certificates.

If you use a DER formatted certificate, you must convert it to a PEM formatted certificate by typing the following command:
openssl x509 -in <cert>.der -inform der -outform pem -out <cert>.pem
Tip: A more efficient method for uploading a root CA is to use the Certificate Management app. For more information see, Certificate Management(https://www.ibm.com/docs/en/qsip/7.5?topic=apps-radar-certificate-management).

Procedure

  1. If the certificate was issued by an internal certificate authority and not a commercial certificate provider, the CA's root and intermediate certificates are required for a full chain of trust validation. Copy the CA's root certificate and, if needed, the intermediate certificates, to /etc/pki/ca-trust/source/anchors/ and then run the following command:
    update-ca-trust

    Repeat this step on all managed hosts.

  2. Use SSH to log in to the QRadar® Console as the root user. Install the certificate by entering the following command:
    /opt/qradar/bin/install-ssl-cert.sh
    1. At the Path to Public Key File (SSLCertificateFile) prompt, enter the path to the Public Key File. For example:
      /root/new.certs/cert.cert
    2. At the Path to Private Key File (SSLCertificateKeyFile) prompt, enter the path to the Private Key File. For example:
      /root/new.certs/qradar.key
    Example output:
    You have specified the following:
    
           SSLCertificateFile of /root/new.certs/cert.cert
        SSLCertificateKeyFile of /root/new.certs/qradar.key
    
    Re-configure Apache now (includes restart of httpd) (Y/[N])? y
    Backing up current SSL configuration ... (OK)
    Installing user SSL certificate ... (OK)
    Reloading httpd configuration:
    - Restarting httpd service ... (OK)
    Restarting running services:
    - Stopping hostcontext ... (OK)
    - Restarting Tomcat ... (OK)
    - Starting hostcontext ... (OK)
    Updating deployment:
    - Copying certificate to managed hosts
       * 192.0.2.0 ...... (OK)
    - Restarting hostcontext on managed hosts
       * 192.0.2.0 ...... (OK)
    The event collection service must be restarted if WinCollect is used in your environment. Restart the event collection service now (y/[n])? y
    - Restarting ecs-ec-ingress on managed hosts
       * 192.0.2.0 ...... (OK)
    - Restarting ecs-ec-ingress on console ... (OK)
    Fri Jan 17 10:33:42 EST 2020 [install-ssl-cert.sh] OK: Install SSL Cert Completed
    Note: Data collection for events and flows stops while services are restarted.
  3. To reload the SSL certificate, restart the docker container on the host that runs your applications by running the following command:
    systemctl restart docker
    Tip: If you are running QRadar 7.5.0 UP8 or later, you can restart Podman instead of docker by running the following command:
    systemctl restart podman

Results

If the install-ssl-cert.sh script finished with the OK: Install SSL Cert Completed message, then the certificate was installed successfully. If you answered y (yes) to the prompt to reconfigure Apache, you don't need to do anything else. Otherwise, you must deploy the full configuration. On the navigation menu ( Navigation menu icon), click Admin, then click Advanced > Deploy Full Configuration.