Installing QRadar EDR in an air-gapped environment by using a bastion host

Edit online

If your cluster is not connected to the internet, you can install IBM® Security QRadar® EDR in your cluster by using a bastion host as a mirroring device.

You store the product code and images on a bastion host and then transfer them to a local air-gapped network. A bastion host is a device that has access to both the public internet and the local intranet where a local registry and Red Hat® OpenShift® Container Platform cluster exist. Using the bastion host, you replicate your images through the bastion host directly to the local intranet registry behind the firewall.

Before you begin

You must satisfy the following prerequisites before you install QRadar EDR in an air-gapped environment:

To complete this task, you must be a Red Hat OpenShift cluster administrator.

Review the QRadar EDR system requirements section to ensure that you meet the hardware, system, storage, and other requirements.

Your mirroring device must have at least 1 TB of storage available.

Note:

Your mirroring device must have access to the following sites and ports while it is connected to the internet.

icr.io:443 for IBM Cloud Pak®® for Security catalog source
cp.icr.io:443 for IBM Entitled Registry
github.com for Container Application Software for Enterprises (CASE) and tools

Setting up your mirroring environment

Edit online

Before you install IBM Security QRadar EDR in an air-gapped environment, you must set up a mirroring device that can be connected to the internet to complete configuring your mirroring environment.

The following table shows the CLI tools that are needed to install QRadar EDR in an air-gapped environment.

Table 1. CLI tools needed to install QRadar EDR in an air-gapped environment
Software	Purpose
Docker or Podman	Container management
Red Hat OpenShift CLI (oc)	Red Hat OpenShift Container Platform administration
IBM Catalog Management plug-in for Red Hat OpenShift CLI	Mirroring and installing QRadar EDR

Install Windows Subsystem for Linux (WSL)

Edit online

If you are using a Windows computer, you must install Windows Subsystem for Linux® (WSL).

For more information about installing WSL, see Install WSL.

Install Docker CLI 18.0.0 or later

Edit online

If Docker is not available for your OS, install Podman CLI 1.4 or later instead

Procedure

Install Docker.

Download and set up the Docker or Podman CLI tool for your computer operating system (OS).
1. CentOS
2. Debian
3. Fedora
4. MacOS
5. Ubuntu
Ensure that the Docker or Podman CLI tool is working by typing the following command.
```
 docker version 
```

If you can't install Docker, install Podman.

Download and set up the Podman CLI tool for your computer OS.
1. Linux distributions
2. MacOS
  
  Important: To install Podman on MacOS, you must first install Homebrew .
Ensure that the Podman CLI tool is working by typing the following command.
```
 podman version 
```

Install Red Hat OpenShift CLI 4.14 or later

Edit online

The Red Hat OpenShift CLI client helps you develop, build, deploy, and run your applications on any Red Hat OpenShift or Kubernetes cluster. It also includes the administrative commands for managing a cluster under the adm subcommand.

Procedure

Download Red Hat OpenShift CLI 4.14 or later from https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/stable-4.14/. The file to download is called openshift-client-<platform>-<version>.tar.gz.
Extract the binary file that you downloaded by typing the following command, where <oc_cli_archive_file> is the name of the archive file that you downloaded.
```
tar -xf <oc_cli_archive_file>
```
Modify the permissions of the binary file by typing the following command, where <oc_cli_binary> is the name of the Red Hat OpenShift binary that you extracted from the archive.
Move the binary file to the /usr/local/bin directory by typing the following command.
```
mv <oc_cli_binary> /usr/local/bin/oc
```
Tip: If this command returns a No such file or directory or Not a directory error message, create the /usr/local/bin directory by typing the following command.
```
sudo mkdir /usr/local/bin
```
Ensure that the Red Hat OpenShift CLI client is working by typing the following command.
```
oc version
```
Tip: MacOS users might see a message that this tool cannot be opened because it is from an unidentified developer. Close this message and go to System Preferences > Security & Privacy. On the General tab, click Open Anyway or Allow Anyway. Repeat the oc version command.

Install the IBM Catalog Management plug-in for Red Hat OpenShift CLI

Edit online

The IBM Catalog Management plug-in simplifies the process for discovering required IBM product images and uses standard tooling for registry and cluster access.

Procedure

Download the latest version of the plug-in.

To download the latest release version from the public GitHub repo on MacOS, type the following command.

curl -L https://github.com/IBM/ibm-pak-plugin/releases/latest/download/oc-ibm_pak-darwin-amd64.tar.gz -o oc-ibm_pak-plugin.tar.gz

To download the latest release version from the public GitHub repo on Linux, type the following command.

curl -L https://github.com/IBM/ibm-pak-plugin/releases/latest/download/oc-ibm_pak-linux-amd64.tar.gz -o oc-ibm_pak-plugin.tar.gz

Extract the plug-in from the archive file by typing the following command.
```
tar -xvf oc-ibm_pak-plugin.tar.gz
```
Move the extracted plug-in to your /usr/local/bin directory by typing the following command.
```
mv oc-ibm_pak-*-amd64 /usr/local/bin/oc-ibm_pak
```
Verify that the plug-in is installed successfully by typing the following command.
```
oc ibm-pak --version
```

Install Red Hat OpenShift

Edit online

For the supported Red Hat OpenShift Container Platform versions, see ../planning/system_requirements.html.

For more information about installing and validating Red Hat OpenShift, see Setting up Red Hat OpenShift Container Platform cluster.

You must have a Docker V2 registry with at least 1 TB storage available, and that is accessible from the Red Hat OpenShift Container Platform cluster nodes

Edit online

Docker

docker info

Look for Docker Root Dir: in the output, and ensure that the location shows has at least 1 TB storage available.

Podman

podman info

Look for volumePath: in the output, and ensure that the location shows has at least 1 TB storage available.

The registry is available to aid in mirroring to final location by using portable options. For more information, see Docker Manifest V2, Schema 2.

Gather the information needed to install QRadar EDR

Edit online

Make sure you know the registry key and other information to successfully install QRadar EDR.

Table 2. Information needed to install QRadar EDR
Information needed	Description
The IBM Entitled Registry key	After you purchase a license for QRadar EDR, an entitlement for the Cloud Pak software is associated with your MyIBM account ID. You must have an entitlement key for the IBM Entitled Registry to install QRadar EDR by the online or air-gapped method that uses the IBM Entitled Registry. The value of the key is set in a parameter that is used during installation. Use the IBMid and the password that are associated with the entitled software to log in to the MyIBM Container Software Library. In the Container software library, from the menu bar, click Get entitlement key. In the Entitlement keys section, click Copy Key, and copy the key to a safe location. You need the IBM Entitled Registry key during the installation process and it must continue to be valid through the entire lifecycle of the platform. Important: If the IBM Entitled Registry key becomes invalid, you must create a new key in Passport Advantage® from a valid account and replace the key on QRadar EDR. If you do not replace the key on QRadar EDR, services fail.
The Fully Qualified Domain Name (FQDN) chosen for the QRadar EDR application	The FQDN of the Red Hat OpenShift Container Platform cluster is used with the TLS certificate for the platform FQDN. You can choose to create a unique FQDN for the QRadar EDR platform if you don't want to use the Red Hat OpenShift Container Platform cluster FQDN. For more information about the FQDN requirements, see Domain name and TLS certificates.
Certificate of Authority (CA), if required for the QRadar EDR application domain.	For more information about certificates, see Domain name and TLS certificates.
The persistent storage and storage class to be used.	For more information about the persistent storage required for QRadar EDR, see Storage requirements.

Setting environment variables and downloading CASE files

Edit online

Before mirroring your images, set the environment variables on your mirroring device, and connect to the internet so that you can download the corresponding CASE files.

About this task

Tip: Save a copy of your environment variable values to a file by using a text editor. You can use that file as a reference to copy and paste from as you complete your air-gapped environment installation tasks.

Procedure

Connect your mirroring device to the internet, and disconnect it from your local air-gapped network.
Create the following environment variables with the installer image name and the image inventory on your mirroring device by typing the following command.
```
export CASE_NAME=ibm-security-edr && export CASE_VERSION=1.0.15
```
Download the IBM Security QRadar EDR installer and image inventory to your mirroring device by typing the following command.
```
oc ibm-pak get $CASE_NAME --version $CASE_VERSION --disable-top-level-images-mode
```
The CASE is saved to the ~/.ibm-pak/data/cases/$CASE_NAME/$CASE_VERSION directory and the log file is saved to ~/.ibm-pak/logs/oc-ibm_pak.log.
Tip: If you want to save the CASE to a directory other than your home directory, set the $IBMPAK_HOME environment variable by typing the following command.
```
export IBMPAK_HOME=<working_directory>
```
When you set the $IBMPAK_HOME environment variable, the CASE is saved to <working_directory>/.ibm-pak/data/cases/$CASE_NAME/$CASE_VERSION and the log is saved to <working_directory>/.ibm-pak/logs/oc-ibm_pak.log.
Important: If you change where the CASE is saved to, you must use $IBMPAK_HOME/.ibm-pak in place of ~/.ibm-pak throughout this procedure.

Tip: If you want the installation process to be repeatable across environments, you can reuse the same saved CASE instead of downloading the CASE files again in other environments. You don't need to update versions of dependencies into the saved cache.

Mirroring images from the internet to your mirroring device

Edit online

Mirroring images takes the image from the internet to your mirroring device, then effectively copies that image on to your air-gapped environment. After you mirror your images, you can configure your cluster and complete the air-gapped installation.

Procedure

Set the $TARGET_REGISTRY environment variable to the IP address or FQDN and the port for your target registry by typing the following command. The target registry is the registry where your images are mirrored to and accessed by the Red Hat OpenShift cluster.
```
export TARGET_REGISTRY=<target_registry>
```
For example, if your target registry is at 192.0.2.0:5000 type the following command.
```
export TARGET_REGISTRY=192.0.2.0:5000
```
Generate the mirror manifests to use when you mirror the images to the target registry by typing the following command.
```
oc ibm-pak generate mirror-manifests $CASE_NAME $TARGET_REGISTRY --version $CASE_VERSION
```
Tip: If you want to view the list of images to be mirrored, type the following command.
```
oc ibm-pak describe $CASE_NAME --version $CASE_VERSION --list-mirror-images
```
Store the authentication credentials for the IBM Entitled Registry, cp.icr.io.
- If you are using Podman, store authentication credentials for cp.icr.io by typing the following commands.
```
export REGISTRY_AUTH_FILE=~/.ibm-pak/auth.json
```
```
podman login cp.icr.io -u cp
```
- If you are using Docker, store authentication credentials for cp.icr.io by typing the following commands.
```
export REGISTRY_AUTH_FILE=$HOME/.docker/config.json
```
```
docker login cp.icr.io -u cp
```
The password is your IBM Entitled Registry key.

The command stores and caches the registry credentials in the location that is specified for the $REGISTRY_AUTH_FILE environment variable.
Store the authentication credentials for your target registry.
- If you are using Podman, store authentication credentials for your target registry by typing the following commands.
```
export REGISTRY_AUTH_FILE=~/.ibm-pak/auth.json
```
```
podman login $TARGET_REGISTRY
```
- If you are using Docker, store authentication credentials for your target registry by typing the following commands.
```
export REGISTRY_AUTH_FILE=$HOME/.docker/config.json
```
```
docker login $TARGET_REGISTRY
```
The command stores and caches the registry credentials in the location that is specified for the $REGISTRY_AUTH_FILE environment variable.

Mirror images to the target registry by typing the following command.

oc image mirror \
-f ~/.ibm-pak/data/mirror/$CASE_NAME/$CASE_VERSION/images-mapping.txt \
--filter-by-os '.*'  \
-a $REGISTRY_AUTH_FILE \
--insecure  \
--skip-multiple-scopes \
--max-per-registry=1

Log in to your Red Hat OpenShift Container Platform cluster as a cluster administrator by typing one of the following commands, where <openshift_url> is the URL for your Red Hat OpenShift Container Platform environment.
- Using a username and password.
```
oc login <openshift_url> -u <cluster_admin_user> -p <cluster_admin_password>
```
- Using a token.
```
oc login --token=<token> --server=<openshift_url>
```
Update the global image pull secret for your Red Hat OpenShift cluster and add the credentials for your target registry.
1. Retrieve the existing global pull secret by typing the following command, where <pull_secret_location> is the location of the file where you want to store the global pull secret configuration.
```
oc get secret/pull-secret -n openshift-config --template='{{index .data ".dockerconfigjson" | base64decode}}' > <pull_secret_location>
```
2. Add the new pull secret to the global pull secret file by typing the following command, where <username> and <password> are the username and password for your target registry.
```
oc registry login --registry="$TARGET_REGISTRY" --auth-basic="<username>:<password>" --to=<pull_secret_location>
```
3. Update the global pull secret in the cluster by typing the following command.
```
oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=<pull_secret_location>
```
4. Verify the status of the nodes by typing the following command.
```
oc get MachineConfigPool -w
```
After the global pull secret is updated, the configuration of your nodes is updated sequentially.
Important: Wait until all MachineConfigPools are updated before you proceed to the next step.
Create the ImageContentSourcePolicy resource by typing the following command.
```
oc apply -f ~/.ibm-pak/data/mirror/$CASE_NAME/$CASE_VERSION/image-content-source-policy.yaml
```
1. Verify that the ImageContentSourcePolicy resource is created by typing the following command.
```
oc get imageContentSourcePolicy ibm-security-edr
```
2. Verify the status of the nodes by typing the following command.
```
oc get MachineConfigPool -w
```
After the ImageContentSourcePolicy resource is created, the configuration of your nodes is updated sequentially.
Important: Wait until all MachineConfigPools are updated before you proceed to the next step.
If you are using an insecure registry, you must add the local registry to the cluster insecureRegistries list by typing the following command.
```
oc patch image.config.openshift.io/cluster --type=merge \
 -p '{"spec":{"registrySources":{"insecureRegistries":["'${TARGET_REGISTRY}'"]}}}'
```
Important: Do not use insecure registries for production systems.
1. Verify the status of the nodes by typing the following command.
```
oc get MachineConfigPool -w
```
After the insecureRegistries list is updated, the configuration of your nodes is updated sequentially.
Important: Wait until all MachineConfigPools are updated before you proceed to the next step.

Installing QRadar EDR in an air-gapped environment by using a bastion host

Edit online

After your images are mirrored to your target registry, you can deploy QRadar EDR to Red Hat OpenShift in your air-gapped environment.

Before you begin

Include specific IP addresses and URLs in an allowlist at the network layer for sites that need to be accessed externally. For more information, see Creating an allowlist for air-gapped installation.

Procedure

Log in to your Red Hat OpenShift Container Platform cluster as a cluster administrator by typing one of the following commands, where <openshift_url> is the URL for your Red Hat OpenShift Container Platform environment.
- Using a username and password.
```
oc login <openshift_url> -u <cluster_admin_user> -p <cluster_admin_password>
```
- Using a token.
```
oc login --token=<token> --server=<openshift_url>
```
Set the $QRADAR_EDR_NAMESPACE environment variable by typing the following command, where <qradar_edr_namespace> is the namespace where QRadar EDR is installed.
```
export QRADAR_EDR_NAMESPACE=<qradar_edr_namespace>
```

Extract the QRadar EDR CASE by typing the following command.

tar -xf \
~/.ibm-pak/data/cases/$CASE_NAME/$CASE_VERSION/$CASE_NAME-$CASE_VERSION.tgz \
-C ~/.ibm-pak/data/cases/$CASE_NAME/$CASE_VERSION

Update the parameters in the ~/.ibm-pak/data/cases/$CASE_NAME/$CASE_VERSION/$CASE_NAME/inventory/ibmSecurityEdrOperatorSetup/files/values.conf file. The following table lists the configurable parameters for the QRadar EDR installation and their descriptions.

Table 3. QRadar EDR installation parameters
Parameter	Description	Do you need to update this parameter?
airgapInstall	Set this parameter to true when you are installing in an airgap environment.	Yes
clusterProxy	Set to false. Cluster-wide proxy is not supported in an air-gapped environment.	No
domain	The fully qualified domain name (FQDN) created for QRadar EDR.	No, unless you want or specify your own FQDN.
domainCertificatePath	The path of the TLS certificate that is associated with the QRadar Suite Software domain. If the domain is not specified, the Red Hat OpenShift cluster certificates are used. For more information, see Domain name and TLS certificates.	No, unless you updated the domain parameter.
domainCertificateKeyPath	The path of the TLS key that is associated with the QRadar Suite Software domain. If the domain is not specified, the Red Hat OpenShift cluster certificates are used. For more information, see Domain name and TLS certificates.	No, unless you updated the domain parameter.
customCaFilePath	The path of the custom TLS certificate associated with the QRadar Suite Software domain. For more information, see Domain name and TLS certificates.	No, unless you are using a custom or self-signed certificate.
storageClass	The provisioned block storage class for all the PVCs that are used by QRadar EDR. Must be set to `thin-csi`. For more information, see Storage requirements.	No.
backupStorageClass	Storage class for the backup and restore pod. If this value is not set, QRadar EDR takes the value from the storageClass parameter.	No, unless you are using a different storage class for the backup and restore pod than you set for the storageClass parameter. For more information about using a CSI storage class with volume expansion to create the backup and restore PVC, see Creating the backup and restore PVC.
backupStorageSize	The storage size for the backup and restore PVC. Must be 500 GB or larger.	No, unless you need the storage size for the backup and restore pod to be greater than 500 GB. For more information, see Creating the backup and restore PVC.
imagePullPolicy	The pull policy for the images. When Red Hat OpenShift creates containers, it uses the imagePullPolicy to determine whether to pull the container image from the registry before it starts the container. Options are Always, IfNotPresent, or Never.	No
repository	Specify the URL and port for the local Docker registry with /cp/cp4s namespace appended. For example, example-registry:5000/cp/cp4s.	Yes
repositoryUsername	The username to access your target registry.	Yes
repositoryPassword	The password to access your target registry.	Yes
deploymentSize	The size of deployment is small, medium, large, 10k, or 15k.	For more information about choosing the cluster size, see Hardware requirements. The event volume might not be exact when you are installing the product, so select the estimated size of the deployment based on the general number of endpoints. The following list shows the estimated deployment size settings that you can use depending on the number of endpoints you have. small - up to 1k endpoints. medium - up to 3k endpoints. large - up to 5k endpoints. 10k - up to 10k endpoints. 15k - up to 15k endpoints.
licenseType	The type of QRadar EDR license you acquired. Must be one of: Enterprise Select this license type when IBM Security QRadar EDR Enterprise was purchased and the system is not being deployed in MSSP mode. Pro Select this license type when IBM Security QRadar EDR was purchased and the system is not being deployed in MSSP mode. MSSP-Pro Select this license type when IBM Security QRadar EDR was purchased and the system is being deployed in MSSP mode. MSSP-Enterprise Select this license type when IBM Security QRadar EDR Enterprise was purchased and the system is being deployed in MSSP mode. Note: MSSP mode is a Multi-tenant instance that allows strict customer (tenants) separation. MSSP admins can granularly handle each tenant and assign user roles and policies fitting each specific tenants' needs.	Yes

Install QRadar EDR.

Table 4. QRadar EDR installation command arguments
Argument	Description
--namespace	The namespace where QRadar EDR will be installed. The namespace must meet the following criteria: Contain only lowercase alphanumeric characters or `-` Start and end with an alphanumeric character Be a dedicated namespace for QRadar EDR Not be `default`, `kube-*`, or `openshift-` The namespace is created automatically if it does not exist.
--acceptLicense	Read the QRadar EDR license that is in the ~/.ibm-pak/data/cases/ibm-security-edr/`1.0.15`/ibm-security-edr/LICENSE directory. By accepting the license, you confirm that you read the license and accept the terms. For the QRadar EDR installation to proceed, the acceptLicense true parameter is added to the installation action. For more information, see Managing licensing and usage.
--inputDir	The location of the QRadar EDR CASE. If the file path is not customized, enter ~/.ibm-pak/data/cases/$CASE_NAME/$CASE_VERSION else specify the actual path.
--catalogSrcTag	The build tag for QRadar EDR. The default value is latest-amd64

Install QRadar EDR by typing the following command.

oc ibm-pak launch -t 1 \
$CASE_NAME \
--version $CASE_VERSION --inventory ibmSecurityEdrOperatorSetup \
--namespace $QRADAR_EDR_NAMESPACE  \
--action install --args "--acceptLicense true --inputDir ~/.ibm-pak/data/cases/$CASE_NAME/$CASE_VERSION --catalogSrcTag latest-amd64"

Important: Installation takes approximately 30 minutes.

Verify QRadar EDR installation by typing the following command.

oc ibm-pak launch -t 1 $CASE_NAME --version $CASE_VERSION  --inventory ibmSecurityEdrOperatorSetup  --namespace $QRADAR_EDR_NAMESPACE  --action validate

When the installation is complete, the following message displays:

[INFO] IBM Security EDR deployment is complete.

Log in to your QRadar EDR Dashboard as the initial admin user.
1. Retrieve the URL for your QRadar EDR Dashboard by typing the following command.
```
oc get route -n $QRADAR_EDR_NAMESPACE
```
  In the following example output, the QRadar EDR Dashboard URL is cp4s.example.eu-de.containers.appdomain.cloud.
```
  NAME                           HOST/PORT
isc-route-default     cp4s.example.eu-de.containers.appdomain.cloud
```
2. Retrieve your initial QRadar EDR Dashboard log in credentials by typing the following command.
```
oc get secret reaqta-hive-maia-users-secret -o json -n $QRADAR_EDR_NAMESPACE | jq '.data | map_values(@base64d)'
```
  The following example output shows that the login username is admin@example.com, and the login password is <initial_admin_password>.
```
{
"admin.password": "<initial_admin_password>",
"admin.username": "admin@example.com",
"keeper.password": "<initial_keeper_password>",
"keeper.username": "keeper@example.com"
}
```
3. In a web browser, go to your QRadar EDR Dashboard URL and log in with your initial admin credentials.

What to do next

Sign up for IBM My Notifications to receive notifications of new patches, fix packs, or other feature updates from IBM Support by completing the instructions in technote 6579103.
Postinstallation