Setting up Multitenancy with Apps

Steps

When developing your application in order to illustrate that your application supports multitenancy you will need to add the following field to your manifest.json

"multitenancy_safe": "true"

If your application previously did not support multitenancy you would have had this field in your manifest.json

"single_instance_only": "true"

Note: You need to have only one of these fields in your manifest remove single_instance_only if your application now supports multitenancy

How would a QRadar Administrator set up my application in a multi-tenanted environment?

The application framework allows you to set up “instances” of your application associated with a single security profile. By “instances” here we mean it will start a docker container with the application and associate a security profile with that container/instance.

This means that only users with that security profile will be able to view that particular instance. Note a security profile of null means all users will be able to see the instance

There are two different methods of creating and associating an instance of an application with a security profile i.e.

1. App Assistant – This application (the shield in the top right-hand corner) now has an Applications tab for application administration tasks
2. Qappmanager - This is a command line utility for performing application administration tasks similar to the assistant

How to install the Multitenanted Application with no instances?

• Login to the QRadar UI
• Navigate to the Admin Tab
• Click on Extension Management
• You will then be presented the extension management screen.
  
• Click Add
• Click Browse and select your extension zip containing your application
  
• Keep Install immediately ticked and click Add
• After the application has been validated a screen similar to the following screen will appear
• The checkbox at the bottom "Start a default instance of each app" needs to be un-selected to only create the Application Definition. If you leave the checkbox checked a default application instance will be created with a null security profile. This means the application will be visible by all users with any security profile
  
• Once the application has installed no docker container will be started for the application but you will get a screen similar to this one showing that it has been installed successfully
  
• If you press OK on this screen and you have App Assistant v3.0.0 or above it will prompt you to switch to the assistant to configure instances of the application
  
• Click Yes on this dialog or No and at a later point you can administer the application instances via the Shield icon in the top right of the application

How to I create instances of my application in the assistant?

Note: If you haven’t already done so in order to use the application assistant you will need to create an Authorized Service

See assistant set up instructions at this link https://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.apps.doc/t_qradar_adm_soc_assist.html

• Once set up click on the shield icon in the top right hand corner of QRadar
• Click on the Applications Tab in the far right of the assistant app if it hasn’t already been selected
  
• In the example above you can see the Application Definition that was created after the Gunicorn supervisord test extension was installed. Note it says Number of Instances 0
• Another thing to note on this screen is the Memory Allowance in the bottom left of the window. Note you will only be able to start an instance of your application if there is enough memory to do so. This test app above requires the default memory i.e. 200Mb. We should be allowed to start 2 instances
• You can stop other instances which will free up memory using the three dots under Options on the right hand side of the table and selecting Stop All Instances

In order to demonstrate a multi-tenanted set up you need to create another security profile and user and associated the “All” user role for that user. We can then set up an instance for this user

To do this

• Click on the extension you wish to add an instance for.
• Once you click on the extension it will give me more information about what an application instance is and how you create one
  
• Click the three dots under Options and select Create New Instance as it says above and a wizard screen will appear similar to the below
  As you can see in the screenshot there is  another security profile called securityProfileOne and a new user which uses that security profile with the All user role
  
• Create an instance and associate it with the securityProfileOne security profile. Click securityProfileOne and click Next
• The next wizard screen prompts you to select a user role and will show user roles associated to users that match the security profile you selected on the previous pane in the wizard
• In this example select All and click Next
  
• The last pane in the wizard shows a summary and gives the option to go Back or Confirm & Create the instance
  
• A new entry will be created in the table under the extension for example showing the status of creation of the instance. The instance will change to Running once the instance has been started
  
• The Below screenshot shows the instance in the Running State
  
• The user role wizard pane option added the application role to the user role if it was not already ticked so we may need to perform a deploy as the user role has changed. To check go to the Admin tab and deploy changes if required

How to use Augmented Security Profiles in the Assistant

Use Augmented Security Profiles to view the instance as a user with a specific security profile

• Navigate to the QRadar Assistant application by clicking on the shield icon in the top right of QRadar
• Click on the Extension and then on the instance you created in the steps above
• Click the three dots beside the instance and you will be presented with options similar to this example
  
• Note the option to “View as securityPr…” in the popup menu. This is giving you the option to view this application instance as if you were logged in as a user with securityProfileOne the security profile we selected for this instance for test purposes
• You will be shown a dialog to confirm you wish to proceed and how to disable viewing as that security profile after testing how the instance would be viewed as a user with the security profile
  
• Click Proceed to view as that security profile
• Note at the bottom of the QRadar Assistant you will presented with a banner similar to this
  
• This will be used to turn off the Augmented Security Profile view. To turn it off you would click on the hide link in that banner but lets test the instance first
• Refresh your browser
• The test application basically adds a Tab called Gunicorn supervisord that shows some simple html in the tab. After refreshing the browser I get the following
  
  
   
• As you can see the Gunicorn supervisord tab is now visible while logged in as the admin user
• Log in as the user associated with securityProfileOne
• Click on the QRadar Assistant shield icon in the top right again and select Applications if not selected
• On the banner at the bottom of the screen click on the Click here to hide link
• Refresh your browser
  
• The tab from my application instance is now gone from QRadar
• Lets login now as the user which has that security profile assigned to it we've called our user testUserOne
• When logged in as testUserOne I see the following
  
• Note the Gunicorn supervisord tab is present but some other tabs are missing, this is because the user has the All user role which does not have the other capabilities required for the other tabs to be shown

How do I do the same operations via the command line?

There is a command line utility called qappmanager which provides the same functionality the QRadar Assistant provides only via CLI

Prior to using the utility you should create an authorized service token which has admin privileges similar to the authorized service token you created for the QRadar assistant

Lets execute the utility

• Log on to your QRadar console and then execute the following

/opt/qradar/support/qappmanager

• When you execute the utility you will see something similar to the following
  
   
• The utility will list the application definitions and instances in two separate tables as shown in the screenshot and will present options below with numbers associated with each option
• Lets create an instance of the Gunicorn supervisord application definition again and associate it with securityProfileOne like we did in the QRadar Assistant
• Type 22 and press enter
  
• You will then be asked which authorized service token you wish to use for all further interactions with the utility until it closes. Select the correct ID.
  
• You are then presented with the following, asking which definition you wish to create an application instance from. Our application definition is id 1056 so I enter that and press enter and we are presented with the following
  
• At this point similar to the QRadar Assistant it prompts me to select a security profile we'll select security profile with id 2 as we want to create the instance with securityProfileOne like we did with the Assistant
  
• It will state that it is creating the application instance and the table will be shown stating that it is being created. To refresh the table type option 20 and press enter
  
• Note you may have to refresh the table a couple of times while the instance is being created. It will change status to RUNNING and task status COMPLETED once it has finished
• Your instance has now been created similar to the QRadar Assistant

How do I create an Augmented Security Profile via qappmanager?

Similar to the QRadar Assistant we can also create an augmented security profile via qappmanager

Lets execute the utility again to do this

• Log on to your QRadar console and then execute the following

/opt/qradar/support/qappmanager

• Use option 31 Admin user - add augmented security profile. Type 31 and press enter
• Again select the authorized service token you created above
  
   
• Select the admin user
  
• We wish to view as securityProfileOne similar to my example in the QRadar Assistant so we type 2 and press enter it will then display that admin has securityProfileOne set up as an Augmented Security Profile
  
• If you were then to login as the admin user the tab again would be visible as you are viewing as securityProfileOne
• To remove the augmented security profile type 32 and press enter.
  
• To remove securityProfileOne type 2 and press enter. It will state that the augmented security profile will be removed
  
• To list the augmented security profiles type 30 and press enter.