Setting up certificate-based authentication on QRadar

In TLS over TCP communication between IBM Disconnected Log Collector and IBM QRadar, certificate-based communication is used to establish a chain of trust in which hardware and software is validated from the end entity to the root certificate.

Before you begin

You must have a root certificate that was issued by a trusted certificate authority (CA). Typically, you use the same root certificate on the Disconnected Log Collector and QRadar computers. Ensure that the root certificate has a meaningful name, such as root-ca.cer. The client_root_ca.crt file must be in X.509 format.

If the signer uses an intermediate CA, you must also import the intermediate CA's root certificate into the truststore. In this case, use your own truststore instead of the QRadar server truststore.

Important: If multiple Disconnected Log Collectors exist in the environment, perform the following steps only once on the QRadar system that the Disconnected Log Collector connects to.

Procedure

  1. Use SSH to log in to the Event Collector, Event Processor, or QRadar Console that receives events from the Disconnected Log Collector instance.
  2. Copy the root certificate to the /etc/pki/ca-trust/source/anchors directory.
  3. If you're using your own truststore, type the following commands to add the client certificate's CA and the intermediate CA into your own truststore:
    keytool -import -alias client_root_ca -file client_root_ca.crt -keystore clientca
    
    keytool -import -alias client_int_ca -file client_int_ca.crt -keystore clientca
    
    Important:
    • The client_root_ca.crt file must be in X.509 format.
    • Run the second command only if your certificate is signed by an intermediate CA.
  4. If you're using the default truststore, type the following command to update the default truststore:
    update-ca-trust
  5. To configure the server's certificate signing request (CSR), create a text file with this information:
    [ default ]
    # Change the following line to include the FQDN and IP address of the QRadar console or host
    SAN = DNS:<ec.example.com>,IP:<IP_address>
    [ req ]
    default_bits = 2048                        # RSA key size; change to 4096 if required by your
    organization
    encrypt_key = no                           # Protect private key
    default_md = sha256                        # MD to use
    utf8 = yes                                 # Input is UTF-8
    string_mask = utf8only                     # Emit UTF-8 strings
    prompt = no                                # Prompt for DN
    distinguished_name = server_dn             # DN template
    req_extensions = server_reqext             # Desired extensions
    [ server_dn ]
    organizationName = <your_organization_name>
    organizationalUnitName = <your_organizational_unit_name>
    commonName = <common_name>                 # Should match a listed SAN
    [ server_reqext ]
    keyUsage = critical,digitalSignature,keyEncipherment
    extendedKeyUsage = serverAuth,clientAuth
    subjectKeyIdentifier = hash
    subjectAltName = $ENV::SAN
  6. Save the text file as /tmp/tls-server.conf or in your preferred location.
  7. Generate a server certificate signing request (CSR) by typing the following command:
    openssl req -new -config /tmp/tls-server.conf -out /tmp/tls-server.csr -keyout /tmp/tlsserver.key

    A server CSR file is saved in /tmp/tls-server.csr, and a private key file is saved in /tmp/tls-server.key.

  8. Submit the CSR to your internal or commercial certificate authority for signing, according to their instructions.

    The procedure might involve opening the CSR file and copying a block of encoded text that is contained between BEGIN and END markers.

  9. Copy the returned server certificate to the /tmp directory or your preferred location.
  10. Ensure that the client certificate is in PEM (Base64 ASCII) format. If the certificate is in DER (binary) format, convert it to PEM format by typing the following command:
    openssl x509 -inform der -in <certificate_file_name>.der -out <certificate_file_name>.pem
    Tip: A certificate's file extension does not necessarily indicate the encoding method that is used. For example, a certificate with a .cer extension might have Base-64 or DER encoding. Typically, you choose the encoding method during the certificate request procedure. Search the internet for information about OpenSSL commands that convert certificates from one format to another.
    The PEM file contains a block of encoded text that is contained between the BEGIN and END markers.
  11. If your CA uses an intermediate CA to sign certificates, ensure that the intermediate CA certificate is in PEM (Base64 ASCII) format. If the certificate is in DER (binary) format, convert it to PEM format (see the previous step). Then, append the intermediate CA certificate to the signed server certificate by typing the following command:
    cat <intermediate_ca_file_name>.pem >> <signed_server_certificate_file_name>.pem
  12. If the store server certificate that you received is not in PKCS#12 format, such as Distinguished Encoding Rules (DER), convert the client certificate to PKCS#12 format. Type the following command, and choose a secure password when prompted:
    openssl pkcs12 -inkey /tmp/tlsserver.key -in <signed_server_certificate_file_name>.pem -export -out dlc-server.pfx
    A generated personal exchange format (PFX) file is saved as /opt/ibm/si/services/dlc/keystore/dlc-client.pfx. The required PFX information is stored in the /opt/ibm/si/services/dlc/conf/config.json file.
  13. Choose a secure password when prompted.
  14. Copy the server certificate to the QRadar computer in the /opt/qradar/conf/key_stores directory. If the /key_stores folder doesn't exist, create it.

Results

You can configure the Disconnected Log Collector log source on QRadar by using the dlc-server.pfx file that you created.

What to do next

Setting up TLS over TCP communication with QRadar