In TLS over TCP communication between IBM
Disconnected Log Collector and IBM
QRadar, certificate-based
communication is used to establish a chain of trust in which hardware and software is
validated from the end entity to the root certificate.
Before you begin
You must have a root certificate that was issued by a trusted certificate
authority (CA). Typically, you use the same root certificate on the Disconnected Log
Collector and QRadar computers. Ensure that
the root certificate has a meaningful name, such as root-ca.cer. The
client_root_ca.crt file must be in X.509 format.
If the signer uses an intermediate CA, you must also import the intermediate
CA's root certificate into the truststore. In this case, use your own truststore instead of the QRadar server truststore.
Important: If multiple Disconnected Log
Collectors exist in the environment,
perform the following steps only once on the QRadar system that the Disconnected Log
Collector connects to.
Procedure
-
Use SSH to log in to the Event Collector, Event Processor, or QRadar
Console that receives events from
the Disconnected Log
Collector instance.
-
Copy the root certificate to the /etc/pki/ca-trust/source/anchors
directory.
- If you're using your own truststore, type the following commands to add
the client certificate's CA and the intermediate CA into your own truststore:
keytool -import -alias client_root_ca -file client_root_ca.crt -keystore clientca
keytool -import -alias client_int_ca -file client_int_ca.crt -keystore clientca
Important:
- The client_root_ca.crt file must be in X.509 format.
- Run the second command only if your certificate is signed by an intermediate CA.
- If you're using the default truststore, type the following command to
update the default truststore:
- To configure the server's certificate signing request (CSR), create a
text file with this information:
[ default ]
# Change the following line to include the FQDN and IP address of the QRadar console or host
SAN = DNS:<ec.example.com>,IP:<IP_address>
[ req ]
default_bits = 2048 # RSA key size; change to 4096 if required by your
organization
encrypt_key = no # Protect private key
default_md = sha256 # MD to use
utf8 = yes # Input is UTF-8
string_mask = utf8only # Emit UTF-8 strings
prompt = no # Prompt for DN
distinguished_name = server_dn # DN template
req_extensions = server_reqext # Desired extensions
[ server_dn ]
organizationName = <your_organization_name>
organizationalUnitName = <your_organizational_unit_name>
commonName = <common_name> # Should match a listed SAN
[ server_reqext ]
keyUsage = critical,digitalSignature,keyEncipherment
extendedKeyUsage = serverAuth,clientAuth
subjectKeyIdentifier = hash
subjectAltName = $ENV::SAN
- Save the text file as /tmp/tls-server.conf or in
your preferred location.
- Generate a server certificate signing request (CSR) by typing the
following command:
openssl req -new -config /tmp/tls-server.conf -out /tmp/tls-server.csr -keyout /tmp/tlsserver.key
A server CSR file is saved in /tmp/tls-server.csr, and a private key file is
saved in /tmp/tls-server.key.
-
Submit the CSR to your internal or commercial certificate authority for signing, according to
their instructions.
The procedure might involve opening the CSR file and copying a block of encoded text that is
contained between BEGIN and END markers.
-
Copy the returned server certificate to the /tmp directory or your
preferred location.
- Ensure that the client certificate is in PEM (Base64 ASCII) format. If
the certificate is in DER (binary) format, convert it to PEM format by typing the following
command:
openssl x509 -inform der -in <certificate_file_name>.der -out <certificate_file_name>.pem
Tip: A certificate's file extension does not necessarily indicate the encoding method
that is used. For example, a certificate with a .cer extension might have
Base-64 or DER encoding. Typically, you choose the encoding method during the certificate request
procedure. Search the internet for information about OpenSSL commands that convert certificates from
one format to another.
The PEM file contains a block of encoded text that is contained between the
BEGIN and END markers.
- If your CA uses an intermediate CA to sign certificates, ensure that
the intermediate CA certificate is in PEM (Base64 ASCII) format. If the certificate is in DER
(binary) format, convert it to PEM format (see the previous step). Then, append the intermediate CA
certificate to the signed server certificate by typing the following command:
cat <intermediate_ca_file_name>.pem >> <signed_server_certificate_file_name>.pem
- If the store server certificate that you received is not in PKCS#12
format, such as Distinguished Encoding Rules (DER), convert the client certificate to PKCS#12
format. Type the following command, and choose a secure password when prompted:
openssl pkcs12 -inkey /tmp/tlsserver.key -in <signed_server_certificate_file_name>.pem -export -out dlc-server.pfx
A generated personal exchange format (PFX) file is saved as
/opt/ibm/si/services/dlc/keystore/dlc-client.pfx. The required PFX information
is stored in the /opt/ibm/si/services/dlc/conf/config.json file.
- Choose a secure password when prompted.
-
Copy the server certificate to the QRadar computer in the
/opt/qradar/conf/key_stores directory. If the /key_stores
folder doesn't exist, create it.
Results
You can configure the Disconnected Log
Collector log source on QRadar by
using the dlc-server.pfx file that you created.