Updating the QRadar Incident Forensics trust certificate store

If you configure your IBM QRadar Network Packet Capture server to use a custom certificate and key, you must manually add the new certificate to the QRadar Incident Forensics trust certificate store.

If you do not add the new certificate to the truststore, you might see certificatePinning messages in the log files on the QRadar Incident Forensics managed host.

Procedure

  1. Use SSH to log in to the QRadar Incident Forensics managed host as the root user.
  2. If the certificate was issued by an internal certificate authority and not a commercial certificate provider, the CA's root and intermediate certificates are required for a full chain of trust validation.
    1. Copy the CA's root certificate and, if needed, the intermediate certificates, to /etc/pki/ca-trust/source/anchors/.
    2. Type this command:
      update-ca-trust
  3. To retrieve the new certificate information and add it to the trust certificate store, type this command. 
    /opt/qradar/bin/getcert.sh <IP_address_of_the_PCAP_server>
  4. Restart the hostcontext service. 
    systemctl restart hostcontext