Importing a Cisco Firepower Management Center certificate in QRadar

The estreamer-cert-import.pl script for QRadar converts your pkcs12 certificate file to a keystore and truststore file and copies the certificates to your QRadar appliance. Repeat this procedure for each Firepower Management Center pkcs12 certificate that you need to import to your QRadar Console or Event Collector.

Before you begin

You must have root or su - root privileges to run the estreamer-cert-import.pl import script.

About this task

The estreamer-cert-import.pl import script is stored on your QRadar Event Collector when you install the Cisco Firepower eStreamer protocol.

The script converts and imports only 1 pkcs12 file at a time. You are required to import a certificate only for the QRadar appliance that receives the Firepower Management Center events. For example, after the Firepower Management Center event is categorized and normalized by an Event Collector in a QRadar deployment, it is forwarded to the QRadar Console. In this scenario, you would import a certificate to the Event Collector.

When you import a new certificate, existing Firepower Management Center certificates on the QRadar appliance are renamed to estreamer.keystore.old and estreamer.truststore.old.

Procedure

  1. Log in as the root user by using SSH on the QRadar appliance that will receive the events.
  2. Copy the downloaded certificate from your Firepower Management Center appliance to a temporary directory on the QRadar Event Collector.
  3. Type the following command to import your pkcs12 file.
    /opt/qradar/bin/estreamer-cert-import.pl -f <pkcs12_absolute_filepath> options
    The -f parameter is required. All other parameters that are described in the following table are optional.
    Table 1. Import script command parameters
    Parameter Description
    -f Identifies the file name of the pkcs12 files to import.
    -o Overrides the default eStreamer name for the keystore and truststore files. Use the -o parameter when you integrate multiple Firepower Management Center devices. For example, /opt/qradar/bin/estreamer-cert-import.pl -f <file name> -o <IP_address>
    The import script creates the following files:
    • /opt/qradar/conf/<IP_address>.keystore
    • /opt/qradar/conf/<IP_address>.truststore
    -d Enables verbose mode for the import script. Verbose mode is intended to display error messages for troubleshooting purposes when pkcs12 files fail to import properly.
    -p Specifies a password if a password was provided when you generated the pkcs12 file.
    -v Displays the version information for the import script.
    -h Displays a help message about using the import script.

Results

The import script displays the location where the import files were copied.
Example:
Figure 1. Sample import script output
Sample import script output that displays the file location for the imported files.