Virtual appliance installation introduction

The SOAR Platform is available in three packages, each of which has a different installation procedure.

The instructions here describe how to install the virtual image package (.ova file).

If you have the software package (.run file), see Standalone Installation.

If you require a FIPS-compliant package, contact IBM Security® Support.

You cannot upgrade from one package to another, or install different packages on the same system.

Obtaining the SOAR software

The SOAR Platform is available as a download.

To download the SOAR Platform, go to IBM® Passport Advantage®.

SOAR Platform virtual appliance installation prerequisites

The IBM Security QRadar® SOAR Platform appliance is provided as a virtual image in an Open Virtualization (.ova) format. The image is based on Red Hat® Enterprise Linux® (RHEL), and installs a self-contained server that runs Tomcat and PostgreSQL.

The SOAR virtual appliance has the following default configuration, which you can modify during the deployment.
Table 1. Default SOAR virtual appliance configuration
Requirement Description
VMware server VMware Hypervisor (ESXi) 7.0 or later

If you are upgrading the SOAR Platform appliance, you do not need to upgrade VMware vSphere Hypervisor (ESXi); however, the version must be supported by VMware.

Virtual disk size

185 GB

Disk provisioning

Thin provision

CPU cores

4

Memory

16 GB

To administer the SOAR Platform appliance, the network that the host server is on must be accessible by SSH, and it must be accessible by a web browser for user access.

If your deployment includes App Hosts, it is best to use the current release.

Virtual appliance installation overview

The SOAR Platform virtual appliance installation takes approximately one hour to complete.

This document guides you through the following steps to install the SOAR Platform:

  1. Deploy the appliance and start the first boot configuration.
  2. Connect through PuTTY/ssh.
  3. Install the SOAR license.
  4. Start system updates.
  5. Configure a Secure Socket Layer (SSL) certificate.
  6. Create an initial user account.
  7. Configure authentication.
  8. Add user accounts.
  9. Test the system configuration by connecting to the SOAR Platform.
  10. Configure the appliance to access specific URLs on the Internet.
  11. Configure the log file.
  12. Configure email notifications.
  13. Configure ciphers and protocols.
  14. Configure the KeyVault.
  15. Configure audit logging.

SOAR Platform Managed Security Service Providers add-on

The SOAR for Managed Security Service Providers (MSSP) add-on, licensed separately, provides managed security service providers with the ability to manage multiple customers from a single dashboard. Customer data is stored separately, but can be accessed and viewed from a global dashboard.

Many of the administrative procedures remain the same. However, you manage the administrative settings in the configuration organization. If you have the MSSP add-on, you need to use the SOAR for MSSPs Configuration Guide to configure and manage the MSSP add-on components.

Important: If you are configuring the SOAR Platform for an MSSP deployment, you do not need to create a regular SOAR organization. In addition, do not configure LDAP, as it is not currently supported for the MSSP add-on.

Getting started with the installation

Make sure that your system meets the installation prerequisites before starting the installation.

Before you start the installation, make sure that you have the following items.

  • SOAR appliance ova file downloaded from the website.
  • Hypervisor credentials needed to create virtual instances.
  • VMware vSphere client.
  • An IP address for the SOAR appliance, only if you want to use a static IP address.
  • An SSH client, such as PuTTY, to connect to the SOAR appliance.
  • Certificate authority (CA) that signs the SOAR appliance SSL certificate. It can be an internal CA used within your company or a third-party CA such as Verisign or Thawte.
  • SMTP server and credentials that the SOAR appliance can use to send email notifications.
  • SOAR license.