Configuring encrypted communication between HCL BigFix and QRadar

For IBM QRadar Vulnerability Manager to receive vulnerability fix status updates by using Web Reports from HCL BigFix configure Transport Layer Security (TLS).

When QRadar Vulnerability Manager receives Fixlet status updates from BigFix, it uses the SOAP API forBigFix Web Reports to request updates by using queries that use the BigFix Relevance language. The queries are used to extract data from the in-memory BigFix Web Reports database. QRadar parses and saves the data. You can use saved searches to view the BigFix updates in QRadar. BigFix doesn’t use Web Reports TLS by default. You configure TLS communication and BigFix Web Reports.

Before you begin

The following components must be installed on your network:
  • A BigFix server.
  • A BigFix Console.
  • A BigFix agent on each asset in your network that you scan.
  • An IBM QRadar Console.
  • A licensed installation of QRadar Vulnerability Manager.

You must have QRadar V7.2.6 or later with the most recent updates.

Note: To prepare for this integration, it is good practice to run Auto Update from the Admin tab to get the most recent scan tools.

Procedure

  1. To configure TLS, complete the following steps:
    1. Download the public key certificate from BigFix to your QRadar Console by typing the following command at the shell prompt of your QRadar Console.

      openssl x509 -in <(openssl s_client -connect <bigfix ip address>:<port> -prexit 2>/dev/null) > /opt/qvm/iem/iem_cert.pem

      Typically, BigFix listens on port 52312.

    2. To create a truststore in QRadar, type
      the following command:

      keytool -keystore /opt/qvm/iem/truststore.jks -genkey -alias iem_webreports

    3. Import the BigFix public key certificate to your QRadar truststore by typing the following command:

      keytool -importcert -file /opt/qvm/iem/iem_cert.pem -keystore /opt/qvm/iem/truststore.jks -storepass <your_truststore_password> -alias BigFix_webreports

    4. At the Trust this certificate? prompt, type Yes.
  2. To configure TLS and BigFix Web Reports for QRadar Vulnerability Manager, complete the following steps:
    1. Use SSH to log in to the QRadar console as the root user.
    2. Type ./iem-setup-webreports.pl and when prompted, type the host name, host port, user name, and password for the BigFix server.

      You can run this command from any directory. The files are created in the/opt/qvm/iem directory.

    3. At the Use SSL/TLS encryption? prompt, type the appropriate response.
    4. Follow the prompts.
    5. To view the contents of the webreports.properties file, type the following command at the shell prompt:

      more /opt/qvm/iem/webreports.properties

      The webreports.properties file contains the allowed SSL/TLS transport protocols, for example webreports.tls.protocols=TLSv1.2 or a comma-separated list webreports.tls.protocols=TLSv1.2,TLSv1.1

      Verify that the following line contains a port number that follows the IP address:

      webreports.endpoint=http://<IP_address>:<port>/webreports

      If you want to use a different port, edit the /opt/qvm/iem/webreports.properties file and change the port number.