Updating your QRadar EDR TLS certificates

QRadar EDR provides the update_cert action to the TLS certificates that are used to secure in-flight communication in the cluster either upon its expiry or for just updating the existing certificates.

Before you begin

Install the cpctl command-line interface (CLI) utility. For more information, see Installing the cpctl utility to access support actions.

For more information about certificate requirements, see Domain name and TLS certificates.

About this task

Important: Do not run the update_cert action if your QRadar EDR platform uses the same TLS certificate that your Red Hat OpenShift Container Platform cluster uses. If you need to update the TLS certificate for QRadar EDR in that case, see Synchronizing QRadar EDR Certificates with the cluster certificate.

Procedure

  1. Log in to your Red Hat OpenShift Container Platform cluster as a cluster administrator by typing one of the following commands, where <openshift_url> is the URL for your Red Hat OpenShift Container Platform environment.
    • Using a username and password.
      oc login <openshift_url> -u <cluster_admin_user> -p <cluster_admin_password>
    • Using a token.
      oc login --token=<token> --server=<openshift_url>
  2. To ensure that the list of available cpctl actions is up to date, type the following command.
    cpctl load
    The cpctl load command retrieves all available actions that can be run on QRadar EDR. The actions are cached to your local environment.
  3. Update your QRadar EDR TLS certificates by running the update_cert action.

    The following table details the parameters that are required to run the command.

    Parameter Description
    --key New TLS key
    --cert New TLS certificate
    --authority Certificate of the signing certificate authority
    --token The Red Hat OpenShift admin token.
    Note: The certificate authority certificate is required only if your new certificate is self-signed or signed by an unknown certificate authority.
    cpctl tools update_cert --token "$(oc whoami -t)"
    Well-known certificate authority example
    Your TLS certificate key is in a file called tls.key. Your TLS certificate is in a file that is called tls.crt. Your certificate is signed by a well-known authority. Run the following command and insert the values that are stored in the files.
    cpctl tools update_cert --key "$(cat tls.key)" --cert "$(cat tls.crt)" --token "$(oc whoami -t)"
    Unknown certificate authority example
    Your TLS certificate key is in a file that is called tls.key. Your TLS certificate is in a file that is called tls.crt. Your certificate is signed by an unknown authority. The CA certificate is stored in a file that is called ca.crt. Run the following command and insert the values that are stored in the files.
    cpctl tools update_cert --key "$(cat tls.key)" --cert "$(cat tls.crt)" --token "$(oc whoami -t)" --authority "$(cat ca.crt)"

Synchronizing QRadar EDR Certificates with the cluster certificate

If your QRadar EDR platform uses the same TLS certificate as your Red Hat OpenShift Container Platform cluster and the TLS certificate is changed, run the sync_cluster_cert action to synchronize the TLS certificate with QRadar EDR.

About this task

Important: Do not run the sync_cluster_cert action if your QRadar EDR platform uses a different TLS certificate than your Red Hat OpenShift Container Platform cluster uses. If you need to update the TLS certificate for QRadar EDR in that case, see Updating your QRadar EDR TLS certificates.

Install the cpctl command-line interface (CLI) utility. For more information, see Installing the cpctl utility to access support actions.

Procedure

  1. Log in to your Red Hat OpenShift Container Platform cluster as a cluster administrator by typing one of the following commands, where <openshift_url> is the URL for your Red Hat OpenShift Container Platform environment.
    • Using a username and password.
      oc login <openshift_url> -u <cluster_admin_user> -p <cluster_admin_password>
    • Using a token.
      oc login --token=<token> --server=<openshift_url>
  2. To ensure that the list of available cpctl actions is up to date, enter the following command.
    cpctl load
    The cpctl load command retrieves all of the available actions that can be run on QRadar EDR. The actions are cached to your local environment.
  3. To run the sync_cluster_cert action, enter the following command.
    cpctl tools sync_cluster_cert --token $(oc whoami -t)

Results

The QRadar EDR application pods restart in the Red Hat OpenShift cluster and the TLS certificate is synchronized.

Checking QRadar EDR certificates

The QRadar EDR certificate is used to access QRadar EDR services. QRadar EDR provides an action to validate these certificates.

About this task

Install the cpctl command-line interface (CLI) utility. For more information, see Installing the cpctl utility to access support actions.

Procedure

  1. Log in to your Red Hat OpenShift Container Platform cluster as a cluster administrator by typing one of the following commands, where <openshift_url> is the URL for your Red Hat OpenShift Container Platform environment.
    • Using a username and password.
      oc login <openshift_url> -u <cluster_admin_user> -p <cluster_admin_password>
    • Using a token.
      oc login --token=<token> --server=<openshift_url>
  2. To ensure that the list of available cpctl actions is up to date, type the following command.
    cpctl load
    The cpctl load command retrieves all available actions that can be run on QRadar EDR. The actions are cached to your local environment.
  3. Run the check_cert action by typing the following command.
    cpctl diagnostics check_cert --token $(oc whoami -t)

Example

The following output is a sample output of what might display after you run the command.

cpctl diagnostics check_cert --token $(oc whoami -t)
Executing playbook check_cert.yaml- localhost on hosts: localhost -
Gathering Facts...
  localhost ok
[Login] Validate...
[Login] Token...
  localhost done | stdout:
[INFO] Logging in via token...
Get CP4S Route...
  localhost ok
Check CP4S Route...
Get cp4s version...
  localhost ok
Set namespace if not defined...
  localhost ok
Check if cp4s version is defined...
  localhost ok
Validate correct version of cp4s...
Check if its a saas cluster...
  localhost ok
Get switcher item...
Retrieve current cp4s version...
Validate correct version of cp4s...
Get Foundations capability...
  localhost ok
Get cp4s namespace...
Set default capability...
  localhost ok
Get foundations capability...
  localhost ok | stdout: reaqta
Set Capability if its defined...
  localhost ok
Get Foundations capability...
  localhost ok
Get cp4s namespace...
Set default capability...
  localhost ok
Get foundations capability...
  localhost ok | stdout: CommonServicesSCIM
Set Capability if its defined...
  localhost ok
Get IBM Foundational Services Route...
Check IBM Foundational Services Route...
Ensure temp dir exists...
  localhost done
Fetch CP4S truststore...
  localhost done
Set reaqta route...
  localhost ok
Test CP4S ingress...
  localhost ok
Print CP4S Certificate when failed...
Stop if CP4S Certificate is not valid...
Test IBM Foundational Services Ingress...
Print IBM Foundational Services Certificate when failed...
Stop if IBM Foundational Services Certificate is not valid...
Certificates are valid...
  localhost ok- Play recap -
  localhost                  : ok=17   changed=3    unreachable=0    failed=0    rescued=0    ignored=0

What to do next

If the output from the command shows the certificates are invalid, you can replace the certificates. For more information, see Updating your QRadar EDR TLS certificates.

Changing your QRadar EDR domain

To change your QRadar EDR fully qualified domain name (FQDN), update the domain value in the ibmsecurityedr custom resource (CR), and update the TLS certificates.

Before you begin

Install the cpctl command-line interface (CLI) utility. For more information, see Installing the cpctl utility to access support actions.

For more information about domain name requirements, see Domain name and TLS certificates.

Procedure

  1. Log in to your Red Hat OpenShift Container Platform cluster as a cluster administrator by typing one of the following commands, where <openshift_url> is the URL for your Red Hat OpenShift Container Platform environment.
    • Using a username and password.
      oc login <openshift_url> -u <cluster_admin_user> -p <cluster_admin_password>
    • Using a token.
      oc login --token=<token> --server=<openshift_url>
  2. To ensure that the list of available cpctl actions is up to date, type the following command.
    cpctl load
    The cpctl load command retrieves all available actions that can be run on QRadar EDR. The actions are cached to your local environment.
  3. Update the domain value in the ibmsecurityedr CR by typing the following command, where <qradar_edr_namespace> is your QRadar EDR namespace, and <FQDN> is your new FQDN.
    oc patch ibmsecurityedrs.isc.ibm.com edr -n <qradar_edr_namespace> --type merge --patch '{"spec": {"basicDeploymentConfiguration":{"domain": "<FQDN>"}}}'
  4. Verify that the domain value is updated in the cp4s-config map by typing the following command.
    oc get cm cp4s-config -o jsonpath="{.data.domain}" && echo
  5. Update your QRadar EDR TLS certificates by running the update_cert action.

    The following table details the parameters that are required to run the command.

    Parameter Description
    --key New TLS key
    --cert New TLS certificate
    --authority Certificate of the signing certificate authority
    --token The Red Hat OpenShift admin token.
    Note: The certificate authority certificate is required only if your new certificate is self-signed or signed by an unknown certificate authority.
    cpctl tools update_cert --token "$(oc whoami -t)"
    Well-known certificate authority example
    Your TLS certificate key is in a file called tls.key. Your TLS certificate is in a file that is called tls.crt. Your certificate is signed by a well-known authority. Run the following command and insert the values that are stored in the files.
    cpctl tools update_cert --key "$(cat tls.key)" --cert "$(cat tls.crt)" --token "$(oc whoami -t)"
    Unknown certificate authority example
    Your TLS certificate key is in a file that is called tls.key. Your TLS certificate is in a file that is called tls.crt. Your certificate is signed by an unknown authority. The CA certificate is stored in a file that is called ca.crt. Run the following command and insert the values that are stored in the files.
    cpctl tools update_cert --key "$(cat tls.key)" --cert "$(cat tls.crt)" --token "$(oc whoami -t)" --authority "$(cat ca.crt)"
  6. Reprocess all operators by typing the following command.
    oc delete iscguard --all
  7. Restart all operators by typing the following command.
    oc get pod -o name | grep operator | xargs oc delete