Domain name and TLS certificates
Provide a TLS certificate for your IBM® Security QRadar® EDR Fully Qualified Domain Name (FQDN).
The TLS certificate can be one of the following types:
- A certificate for a specific FQDN; for example, my.example.com
- A wildcard certificate; for example, *.example.com or
*.apps.example.comTip: The wildcard character must be at the same level as your QRadar EDR. For example, if your QRadar EDR is at qradaredr.apps.example.com, your wildcard certificate must be for *.apps.example.com.
Domain name requirements
When QRadar EDR is installed, the FQDN of the Red Hat® OpenShift® Container Platform cluster is used with the TLS certificate for the platform FQDN.
You can choose to create a unique FQDN for QRadar EDR if you don't want to use the Red Hat OpenShift Container Platform cluster FQDN.
To create a unique FQDN, ensure that a Domain Name System (DNS) server is configured and available with one of the following record types:
- A record that points to the IP address of the cluster.
- A CNAME record that points to the Red Hat OpenShift Container Platform cluster hostname.
To verify that the FQDN that you created is resolving correctly to provide your cluster hostname or IP address, you can use a tool such as https://dnschecker.org/, or the dig command.
To use the dig command to check that the FQDN that you created is resolving correctly, type the following command where <FQDN> is the FQDN that you created. Look for the FQDN in the answer section of the output.
dig <FQDN>
Certificate requirements
The TLS certificates must adhere to the following requirements:
- The TLS certificate must be from a trusted CA for your production systems.
- The TLS certificate must be an RSA certificate with a minimum of 2048 bits, or a P-256 ECDSA
certificate no greater than 256 bits with PKCS1 encoding.Important:
If you need to support QRadar EDR agents that run on any of the following older versions of the Microsoft Windows operating system, then your TLS certificate must be Elliptic Curve Cryptography (ECC) configured with curve prime256v1 /P-256. For more informations, see NIST definition of Elliptic Curve Cryptography.
- Windows client 7
- Windows server 2008 R2 (SP2)
- Windows server 2012 R2
If ECC certificates are not configured, the following error messages are typically seen in the log file that is located in the%TEMP%
folder inC:\Users\<Username>\AppData\Local\Temp
.Response: SSL Error: WINHTTP_CALLBACK_STATUS_FLAG_SECURITY_CHANNEL_ERROR internal error. Exception: Backend communication problem: SSL Error: WINHTTP_CALLBACK_STATUS_FLAG_SECURITY_CHANNEL_ERROR internal error.
- The TLS certificate must match the QRadar EDR domain and must specify the domain in the Subject Alternative Name (subjectAltName field).
- The TLS certificate and certificate authorities (CAs) must use a hash algorithm from the SHA-2 family.
- The TLS certificate must have a timespan that does not exceed 398 days.
- The TLS server certificate must contain an ExtendedKeyUsage (EKU) extension that contains the id-kp-serverAuth object identifier (OID).
If you use your own root CA for internal systems, it can have a time span that exceeds 398 days. This method can be useful for nonproduction environments. However, any system that is connected to the internet generates warnings if the server certificate is not issued by a well-known root authority that browsers recognize by default.
Certificate replacement
If you need to replace the TLS certificate that you are using for QRadar EDR and it is not the same certificate that you are using for your Red Hat OpenShift Container Platform cluster, see Updating your QRadar EDR TLS certificates.
If you need to replace the TLS certificate that you are using for QRadar EDR and it is the same certificate that you are using for your Red Hat OpenShift Container Platform cluster, see Synchronizing QRadar EDR Certificates with the cluster certificate.