IBM Support

Upgrade IBM Security QRadar Risk Manager version 7.0

Product Documentation


Abstract

Upgrading from QRadar Risk Manager 1.1 Maintenance Release 5 to QRadar Risk Manager 7.0 is a significant update.

Content

You must back up your existing QRadar Risk Manager 1.1, complete a fresh installation of QRadar Risk Manager 7.0, and then restore your data. No QRadar Risk Manager data is lost during the upgrade process.

Before you begin

You must understand upgrade requirements and the impact an upgrade has on your data before you upgrade.

Upgrade requirements

Your QRadar SIEM console must be upgraded from QRadar SIEM 7.0 Maintenance Release 5 (7.0.0.301503) to QRadar SIEM 7.0. For more information, see the IBM Security QRadar SIEM Upgrade Guide .

Before you begin the upgrade to QRadar Risk Manager 7.0, you must verify the following requirements:

  • You must be running QRadar Risk Manager 1.1 Maintenance Release 5 build 312057. If necessary, you can download and install the latest patch update from the Qmmunity website. This version is required to back up your QRadar Risk Manager data. In the QRadar SIEM user interface, click Help > About to view your QRadar Risk Manager version information. The QRadar Risk Manager version is displayed in the Installed plug-ins list.
  • Verify that storage is available for the QRadar Risk Manager 1.1 backup file. The backup file must be copied off the QRadar Risk Manager system during the upgrade to prevent you from losing your device configurations and data. The restore file contains all of the information from your QRadar Risk Manager 1.1 system. The size of the backup file can vary depending on the size and number of devices that are managed by QRadar Risk Manager.
  • Ensure that your QRadar SIEM console and QRadar Risk Manager use the same network switch.

Impact of an upgrade on your data

All data that is required to restore your data after you upgrade is contained in a backup archive that you create. After the installation of QRadar Risk Manager 7.0 completes, you can restore your QRadar Risk Manager settings and data from the backup archive.

The backup archive includes the following data:

  • Device configurations for QRadar Risk Manager
  • Connection data
  • Topology data
  • Policy Monitor questions
  • Simulation data
  • Database tables for QRadar Risk Manager
Identify network settings

Before you upgrade to QRadar Risk Manager 7.0, gather the following information:

  • QRadar Risk Manager activation key
  • Hostname
  • IP address
  • Network mask address
  • Subnet mask
  • Default gateway address
  • Primary Domain Name System (DNS) server address
  • Secondary DNS server (optional) address
  • Public IP address for networks using Network Address Translation (NAT)
  • Email server name
  • Network Time Protocol (NTP) server (Console only) or time server name
Backing up your data

You can download the backup script and then backup your data.

Before you begin

Download the backup script, risk_manager_backup.sh, from Qmmunity or IBM Support (http://www.ibm.com/support).

The backup script is intended for upgrading QRadar Risk Manager 1.1 to QRadar Risk Manager 7.0 or backing up and restoring QRadar Risk Manager 7.0 systems.

About this task

By default, QRadar Risk Manager backups are stored in /store/qrm_backups/.

All backup files are saved by using the following format:

backup-<target date>-<timestamp>.tgz

Where: 

<target date>
is the date that the backup file was created. The format of the target date is 
<day>_<month>_<year>

<timestamp>
is the time that the backup file was created. The format of the timestamp is 
<hour>_<minute>_<second>


Procedure

  1. Download the QRadar Risk Manager backup script.
  2. Copy the backup script to the /tmp directory of your QRadar SIEM console.
  3. Using SSH, log in your QRadar SIEM console as the root user.
  4. Type the following command to copy the backup script to QRadar Risk Manager:
    • scp /tmp/risk_manager_backup.sh root@<QRadar Risk Manager>:/opt/qradar/bin/dbmaint/risk_manager_backup.sh
  5. Type the root password of QRadar Risk Manager to copy the file.
    • The file is copied from the /tmp directory of your QRadar SIEM Console to the /opt/qradar/bin/dbmaint directory of QRadar Risk Manager.
  6. Using SSH from the QRadar SIEM Console, log in to QRadar Risk Manager as the root user.
  7. To start a QRadar Risk Manager backup, type the following command:
    • /opt/qradar/bin/dbmaint/risk_manager_backup.sh
    • It can take several minutes for the script to start the backup process. After the script completes, the following message is displayed:
    • Tue Sep 11 10:14:41 EDT 2012 - Risk Manager Backup complete, wrote /store/qrm_backups/backup-2012-09-11-10-14-39.tgz
  8. Copy the backup file to a safe location for the upgrade.
      9. CAUTION: The backup file must be stored in a location other than your QRadar Risk Manager appliance. During the upgrade process to QRadar Risk Manager 7.0, the disks are partitioned and all existing data is removed. Use the backup file to recover all of your settings, data, and configuration information after the upgrade to QRadar Risk Manager 7.0 is complete.

What to do next

You can now install QRadar Risk Manager 7.0.

Installing QRadar Risk Manager

You can install IBM Security QRadar Risk Manager after you download the backup script and backup your data.

Before you begin

You must download the QRadar ISO from Qmmunity or IBM Support (http://www.ibm.com/support).

About this task

Previously, QRadar Risk Manager and QRadar used unique ISO images for installations. In the 7.0 release, QRadar Risk Manager and QRadar are merged and both products are installed by using the QRadar ISO file. The activation key that is specified during the installation determines which product is installed.

You can find the activation key:

  • Printed on a sticker and physically placed on your appliance.
  • Included with the packing slip; all appliances are listed along with their associated keys.

Note: The letter I and the number 1 (one) are treated the same, as are the letter O and the number 0 (zero).

After you download the ISO, you must copy the ISO to a portable storage device such as a DVD or bootable USB flash drive.

For instructions on how to create a bootable USB flash drive, see the Installing QRadar Using a Bootable USB Flash Drive Technical Note .

Procedure

  1. Download the QRadar ISO.
  2. Copy the QRadar SIEM ISO to a portable storage device such as a DVD or a bootable USB flash drive.
  3. Insert the portable storage device into your appliance.
  4. Restart your QRadar Risk Manager appliance.
  5. To load the boot menu, press the F11 or the Escape key on your keyboard.
  6. Select USB drive or DVD drive as the boot option.
      7. Note: QRadar Risk Manager verifies the integrity of the media before installation by checking the MD5 sum. If you receive a warning message that the MD5 checksum failed, then you are required to redownload or reburn QRadar Risk Manager. For further assistance, contact Customer Support.
  7. Type SETUP to start the installation.
  8. When the localhost login prompt is displayed, type root to log in to the system.
  9. Read the information in the window. Press the Spacebar to advance each window until you reach the end of the document. Type yes to accept the agreement, and then press Enter.
  10. Type your activation key and press Enter.
  11. Select normal for your type of setup. Select Next.
  12. Select your time zone continent or area. Select Next and press Enter.
  13. Select your time zone region. Select Next and press Enter.
  14. Select an Internet Protocol version. Select Next and press Enter.
  15. Select the interface that you want to specify as the management interface. Select Next and press Enter.
  16. Enter values for the QRadar Risk Manager IPv4 network settings:
    • Hostname - Type a fully qualified domain name as the system hostname.
    • IP address - Type the IP address of the system.
    • Network Mask - Type the network mask address for the system.
    • Gateway - Type the default gateway of the system.
    • Primary DNS - Type the primary DNS server address.
    • Secondary DNS - Optional. Type the secondary DNS server address.
    • Public IP - Optional. Type the Public IP address of the server. This is a secondary IP address that is used to access the server, usually from a different network or the Internet, and is managed by your network administrator. The Public IP address is often configured by using Network Address Translation (NAT) services on your network or firewall settings on your network. NAT translates an IP address in one network to a different IP address in another network.
    • Email Server - Type the email server. If you do not have an email server, type 
      localhost
      in this field.
  17. Select Next and press Enter.
  18. Configure the QRadar Risk Manager root password:

      19. a Type your password. Select Next and press Enter

      b Retype your new password to confirm. Select Finish and press Enter.
  19. Press Enter to select OK.

What to do next.

    • Restore your data to QRadar Risk Manager.
Restoring data

A separate script is used to restore data. You can use this script to restore data from a QRadar Risk Manager backup.

Before you begin

The QRadar Risk Manager appliance and the backup archive must be the same version of QRadar Risk Manager. If the script detects a version difference between the archive and the QRadar Risk Manager managed host, an error is displayed.

About this task

Use the restore script to specify the archive that you are restoring to QRadar Risk Manager. This process requires you to stop services on QRadar Risk Manager. Stopping services logs off all QRadar Risk Manager users and stops multiple processes.

The following table describes the parameters that you can use to restore a backup archive.

Table 1-1 Parameters for restoring a backup archive to QRadar Risk Manager

Option

Description

-f

Overwrites any existing QRadar Risk Manager data on your system with the data in the restore file.

Selecting this parameter allows the script to overwrite any existing device configurations in Configuration Source Management with the device configurations from the backup file.

-w

Do not delete directories before restoring QRadar Risk Manager data.

-h

Displays the help for the restore script.

Procedure

  1. Using SSH, log in your QRadar SIEM Console as the root user.
  2. Using SSH from the QRadar SIEM Console, log in to QRadar Risk Manager as the root user.
  3. Type the following command to stop hostcontext:
    • service hostcontext stop
  4. Type the following command to restore a backup archive to QRadar Risk Manager:
    • /opt/qradar/bin/risk_manager_restore.sh -r /store/qrm_backups/<backup>
    • Where 
      <backup>
      is the QRadar Risk Manager archive you want to restore.
    • For example:
    • /opt/qradar/bin/risk_manager_restore.sh -r /store/qrm_backups/backup-2012-09-11-10-14-39.tgz
    • The following message is displayed:
    • Tue Sep 11 16:47:22 EDT 2012 - Risk Manager Restore v1 - starting risk_manager_restore.sh; ArchiveFile=/store/qrm_backups/backup-201
      
12-09-11-16-27-42.tgz, Force Overwrite=true
      
Tue Sep 11 16:47:22 EDT 2012 - Risk Manager Restore v1 - Appliance is QRM
      
Tue Sep 11 16:47:22 EDT 2012 - Risk Manager Restore v1 - archive is from version '372011'
      
Tue Sep 11 16:47:23 EDT 2012 - Risk Manager Restore v1 - appliance version is 372011
      
Tue Sep 11 16:47:33 EDT 2012 - Risk Manager Restore v1 - restoring db postgres
      
Tue Sep 11 16:47:34 EDT 2012 - Risk Manager Restore v1 - restoring db qradar
      
Tue Sep 11 16:47:36 EDT 2012 - Risk Manager Restore v1 - restoring db ziptie
      
Tue Sep 11 16:47:36 EDT 2012 - Risk Manager Restore v1 - complete.

      • QRadar Risk Manager data is restored from the backup archive.

  5. Type the following command to start hostcontext:
    • service hostcontext start

 

Results

After the hostcontext services are started, then the data restore from the backup archive is complete.

What to do next

Add QRadar Risk Manager as a managed host in QRadar.


Adding QRadar Risk Manager to QRadar SIEM

You must QRadar Risk Manager as a managed host to your QRadar SIEM console.

About this task

The following table describes the parameters that you can use to restore a backup archive.

Table 1-2 Default log in information for QRadar SIEM

Option

Description

https://<IP Address>

The <IP Address> is the IP address of the QRadar SIEM system.

Username:

The default user name is admin.

Password:

The <root password> is assigned to QRadar during the installation process.

Procedure

  1. Open your web browser.
  2. Log in to your QRadar SIEM console.
  3. On the Admin tab, click Deployment Editor .
  4. From the menu, select Actions > Add a Managed Host .
  5. Click Next .
  6. Enter values for the parameters:
  7. Enter the IP of the server or appliance to add - Type the IP address of QRadar Risk Manager.
  8. Enter the root password of the host - Type the root password for the host.
  9. Confirm the root password of the host - Type the password again.
  10. Host is NATed - Select the check box to use an existing Network Address Translation (NAT) on this managed host. For more information about NAT, see the IBM Security QRadar SIEM Administration Guide .
      11. Note: If you want to enable NAT for a managed host, the NATed network must be using static NAT translation. For more information, see the IBM Security QRadar SIEM Administration Guide.
  11. Enable Encryption - Select the check box to create an SSH encryption tunnel for the host. To enable encryption between two managed hosts, each managed host must be running QRadar 7.0 or QRadar Risk Manager 7.0.
  12. Enable Compression - Select the check box to enable data compression between two managed hosts, each managed host must be running at least QRadar 7.0 or QRadar Risk Manager 7.0.
      13. Note: If you want to add a non-NATed managed host to your deployment when the Console is NATed, you must change the Console to a NATed host before you add the managed host to your deployment. For more information, see the IBM Security QRadar SIEM Administration Guide.
  13. If you want to select a NATed network, then you must enter values for the following parameters. Otherwise, go to the next step.
  14. Enter public IP of the server or appliance to add - Type the public IP address of the managed host. The managed host uses this IP address to communicate with other managed hosts in different networks using NAT.
  15. Select NATed network - From the list box, select the network that you want this managed host to use.

      16. - If the managed host is on the same subnet as the Console, select the Console of the NATed network.

      - If the managed host is not on the same subnet as the Console, select the managed host of the NATed network.

      For information about managing your NATed networks, see the IBM Security QRadar SIEM Administration Guide .

  16. Click Next .
  17. Click Finish .
      18. Note: This process can take several minutes to complete. If your deployment included undeployed changes, a window is displayed requesting you to deploy all changes.
  18. Click Deploy .

Results

The System View is displayed, including the host in the Managed Hosts pane. You are now ready to clear your cache. The Risks tab is not visible until you clear your browser cache and log in to QRadar SIEM.


Clearing web browser cache

You must clear the web browser cache before you can access the Risks tab in QRadar SIEM.

Before you begin

Ensure that only one web browser is open. If you have multiple browsers open, the cache can fail to clear properly.

If you are using a Mozilla Firefox web browser, you must clear the cache in your Microsoft Internet Explorer web browser too.

  1. Open your web browser.
  2. Clear your web browser cache. For instructions, see your web browser documentation.

[{"Product":{"code":"SSBQQU","label":"IBM Security QRadar Risk Manager"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Not Applicable","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"7.0","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
17 June 2018

UID

swg27038708

Page Feedback