Configuring the connection to QRadar on prem
Users with an Administrator role for IBM® QRadar Proxy can connect to an IBM QRadar on prem deployment so that the platform can connect to QRadar® APIs and supported versions of QRadar apps from that deployment. After you enter the connection settings, you and your users can add your own authentication token, QRadar username and password, or both. Then, view QRadar SIEM dashboards and other dashboards with QRadar data, or access supported QRadar apps such as QRadar User Behavior Analytics.
Before you begin
To connect to QRadar from QRadar Proxy, you need the following information:
- A public-facing management IP address or host name. To determine or change the QRadar hostname, use the
qchange_netsetupcommand in Network settings management (https://www.ibm.com/docs/en/SS42VS_7.5/com.ibm.qradar.doc/c_siem_ntw_man_set.html).
- Host port. For more information, see QRadar port usage (https://www.ibm.com/docs/en/SS42VS_7.5/com.ibm.qradar.doc/c_qradar_adm_common_ports.html).
- QRadar SSL certificate (optional). For more information, see SSL certificates (https://www.ibm.com/docs/en/SS42VS_7.5/com.ibm.qradar.doc/c_qradar_adm_ssl.html).
- Authentication token (required to populate dashboards). For more information, see Managing authorized services (https://www.ibm.com/docs/en/SS42VS_7.5/com.ibm.qradar.doc/c_qradar_adm_man_auth_service.html).
- QRadar username and password (required to access supported apps). For more information, see Creating a user account (https://www.ibm.com/docs/en/SS42VS_7.5/com.ibm.qradar.doc/t_qradar_adm_create_user_acct.html).
About this task
The minimum supported version of QRadar is 7.4.3.
Only one QRadar or QRadar on Cloud deployment can be used per platform account. For example, if you're a managed service provider that manages several customer accounts, use a different platform account to access each QRadar deployment.
- Go to IBM QRadar option., and select the
- Add the connection details for the deployment.
- To access QRadar apps and APIs, specify a connection name and description for the connection.
- Specify the QRadar Management IP address or hostname and port for the data source or a supported QRadar app.
- To enable background services, such as the connection between IBM Detection and Response Center and QRadar, enter a Service Authentication Token. This token is also referred to as the SEC token. You create the token from the Authorized Services window in QRadar. For more information, see Adding an authorized service (https://www.ibm.com/docs/en/SS42VS_7.5/com.ibm.qradar.doc/t_qradar_adm_add_auth_serv.html).
- Add the QRadar authentication
credentials for the deployment.
- Enter a user authentication token to use the QRadar APIs. If you are a QRadar Proxy Administrator, you can select the checkbox to
use the Service Authentication Token that you entered in the Connection
Details section instead of entering your own user token. Important: Your users must enter their own authentication token.
- If you want to access supported QRadar apps, such as QRadar User Behavior Analytics, provide your own QRadar username and password, regardless of the
authentication token you entered in step 3a. (Your users must enter their own username and
- If QRadar uses SAML for authentication, you don't need to enter a username and password because you log in to QRadar through your SAML identity provider when you access the supported apps.
- If you make too many login attempts with incorrect credentials, your account is locked out according to QRadar settings. Try logging in again later. For more information, see Preventing lockout from QRadar on prem.
- Enter a user authentication token to use the QRadar APIs. If you are a QRadar Proxy Administrator, you can select the checkbox to use the Service Authentication Token that you entered in the Connection Details section instead of entering your own user token.
- If the login message on the QRadar Console requires users to provide consent before they can log in, select the terms and conditions checkbox so that your users can log in to QRadar from the platform.
- If the connection is using a certificate that is signed by a trusted certificate
authority, you do not need to add a certificate. Tip: A trusted certificate authority can be internal or public.
- To determine whether your certificate is self-signed, see Determining whether your certificate is internally signed or custom signed. Tip: If the decoded certificate shows the Common Name as localhost.localdomain or your local domain, then it is a self-signed certificate.
- To add a certificate, complete the following steps:
- In QRadar 7.4.3, download the certificate chain from http://<qradar_host_ip>:9381/intermediate-qradar-ca_ca.crt. Copy and paste all of the certificate content from the file into the certificate section.
- In earlier versions of QRadar that are supported by the QRadar Proxy app, download the root CA certificate from http://<qradar_host_ip>:9381/vault-qrd_ca.pem. Download the intermediate CA certificate from http://<qradar_host_ip>:9381/vault-qrd_ca_int.pem. Copy and paste all of the certificate content from the certificate content from both files into the certificate section.
- If your hostname or IP address does not match the common name, you must supply a Server
Name Indicator (SNI). The SNI is used to provide a separate hostname to the TLS handshake of the resource connection.
- Click Save, and then verify that the connection is successful by checking the status in the navigation panel.
If you encounter integration issues, see QRadar general health checklist (https://www.ibm.com/support/pages/node/876874).