IBM Support

QRadar: How to validate downloads from IBM Fix Central are trusted and code signed

How To


Summary

The files that you download from IBM Fix Central for IBM Security QRadar product are digitally signed. Administrators can use these instructions to verify the integrity of these files to ensure that they originated from IBM and not modified by external sources.

Objective

All files posted to IBM Fix Central for QRadar include the software download, signature file, and SHA256 sum. Administrators can download these files to verify that software was created by IBM to confirm the signature with the provided certificates. The utility uses the provided public key and signature file generated by IBM development to confirm the software is from a trusted source.

Overview
  1. Download the verify_signature tool from IBM Fix Central.
  2. Download QRadar software from IBM Fix Central.
  3. Extract and run the utility to confirm the signature file and software matches.

Note: Depending on the age of the file, not all software posted to IBM Fix Central includes a signature file. Software posted before September 2021 might not include a signature file. IBM's policy is to include signature files as new software is posted to IBM Fix Central.

Environment

Administrators can use any Linux system or the QRadar appliance to confirm software was created by IBM by using the public key provided with the validate_signature utility. The appliance must have Internet access and can connect to http://oscp.digicert.com website to validate software signatures.

Steps

  1. Download the Codesigning.tgz script from IBM Fix Central.
  2. Download QRadar software.
    Note: If you use HTTPS or SFTP with IBM Fix Central, you must download both the software and the associated signature (sig) file.  For example,
    image 11514
  3. Copy the files to the QRadar Console.
  4. Create a directory for the code signing utility, such as /store/codesigning.
    mkdir /store/codesigning
  5. Copy both files to the /store/codesigning directory on the QRadar Console or any Linux host that has Internet access.
  6. To extract the code signing script, type:
    tar -zxvf codesigning.tgz
  7. To ensure the file can run, type:
    chmod +x verify_signature.sh
  8. Type the following command:
    sh verify_signature.sh -s <signatureFilename> -f <fileSigned> -c <certificateBundleFile>
    For example,
    sh verify_signature.sh -s 743_QRadar_FixPack2_2020.11.2.20210810221124.sfs.sig 
    -f 743_QRadar_FixPack2_2020.11.2.20210810221124.sfs -c certificate_bundle.pem
  9. Wait for an output from the verify_signature.sh utility. Validation might take several minutes to complete as the utility remotely confirms the signature matches the public key provided by IBM.

    Results
    If successful, an 'OK: The file signature verification succeeded' message is displayed. If the validate check fails, you might have an expired public key or a communication error. For reference, example success, failure, or connection refused message outputs are provided.
  • OK: The file signature verification succeeded.

    The following output is an example of a successful check that the signature provided with the software matches IBM's public key. A successful test confirms that the software tested was developed and distributed by IBM. Administrators who want to take the extra step to then confirm the SHA256 sum matches can do so when required by your corporate security policies.

    Signature file 743_QRadar_FixPack2_2020.11.2.20210810221124.sfs.sig provided.
    Signed file 743_QRadar_FixPack2_2020.11.2.20210810221124.sfs provided.
    Certificate file certificate_bundle.pem provided.
    certificate_bundle.pem: OK
    Verified OK
    OK: The modulus of the public key and certificate are identical.
    0
    OCSP Request Data:
        Version: 1 (0x0)
        Requestor List:
            Certificate ID:
              Hash Algorithm: sha1
              Issuer Name Hash: 915DEAC5D1E15E49646B8A94E04E470958C9BB89
              Issuer Key Hash: 6837E0EBB63BF85F1186FBFE617B088865F44E42
              Serial Number: 057E7EBAC0F6D92AE8ABCBC63061CAD7
    OCSP Response Data:
        OCSP Response Status: successful (0x0)
        Response Type: Basic OCSP Response
        Version: 1 (0x0)
        Responder Id: 6837E0EBB63BF85F1186FBFE617B088865F44E42
        Produced At: Sep 16 13:06:54 2021 GMT
        Responses:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 915DEAC5D1E15E49646B8A94E04E470958C9BB89
          Issuer Key Hash: 6837E0EBB63BF85F1186FBFE617B088865F44E42
          Serial Number: 057E7EBAC0F6D92AE8ABCBC63061CAD7
        Cert Status: good
        This Update: Sep 16 12:51:02 2021 GMT
        Next Update: Sep 23 12:06:02 2021 GMT
    
        Signature Algorithm: sha384WithRSAEncryption
             d0:a5:50:5c:0f:97:ba:69:3f:b9:28:c2:de:b2:ee:44:d5:af:
             71:8b:a9:62:ec:8a:02:75:11:8d:84:60:e7:f4:03:9a:2d:f2:
             46:b0:0e:3a:5d:fb:6e:5e:27:91:16:a4:7e:95:7e:d7:a7:92:
             37:4f:7f:7d:32:97:84:7f:19:c8:7c:5a:9f:ef:90:dc:03:29:
             51:e4:ec:00:a8:a6:4d:00:9b:99:b2:81:96:52:ac:36:b2:bd:
             fc:67:f8:3f:c2:67:76:26:d2:34:c6:d4:aa:6d:5d:03:51:d8:
             f7:bb:78:64:69:d3:c1:5d:95:93:2d:0b:69:09:a9:52:6f:04:
             31:0f:a0:0c:4e:a6:fc:44:6f:69:31:54:1c:d3:c0:b2:ef:fa:
             f2:0b:a6:1a:1b:19:b6:92:29:e4:f4:4d:ac:3b:75:a7:00:e4:
             5a:cf:49:6c:8b:35:af:fa:f6:fb:09:bd:81:30:d9:c2:e9:b0:
             37:35:5d:06:79:06:dd:ce:79:bb:68:03:6e:d0:eb:9c:b5:b9:
             6a:34:af:94:c2:7d:64:9c:e7:d1:3c:e3:0b:1a:a8:eb:77:4f:
             7b:7e:64:59:58:1e:d3:e3:76:0c:c6:7a:b5:77:0a:f7:a4:2a:
             c5:c6:08:bf:21:f3:d5:5d:d6:ca:15:40:9e:df:b4:87:fd:05:
             7a:e0:29:ed:ed:8e:ef:47:8a:e5:52:c8:04:f5:c2:ce:f4:fd:
             f1:35:14:e5:dc:63:c6:be:77:c8:77:cc:f0:45:4d:ce:77:f8:
             c6:79:5c:9d:c5:2b:85:07:5b:70:1a:ce:fe:25:a1:a8:35:e9:
             4e:5c:ef:b0:6b:b4:84:a5:0e:5f:5b:4e:5b:0b:d0:02:53:bd:
             df:24:46:bf:5b:46:4f:0a:cc:55:b2:e1:7f:69:d2:6c:64:bc:
             6a:b7:43:34:f0:7b:8a:ce:17:c5:ba:a7:46:0d:7a:16:68:2e:
             1f:8f:45:0c:4a:e2:f7:63:49:74:23:ab:6c:ad:dd:9f:ed:1c:
             f0:8e:f9:26:81:16:7b:45:f3:48:56:c2:00:e1:9e:45:41:9f:
             4f:5f:f1:31:31:11:99:ee:de:0c:14:a5:6f:a7:ba:0a:f8:71:
             a5:96:ca:32:bf:ed:6b:71:6d:3f:cf:a3:eb:56:b2:9a:d1:4b:
             f2:d7:0a:9c:29:14:2a:77:0f:61:b6:94:fa:a9:3b:85:f4:81:
             2a:e6:b2:eb:b8:96:29:af:6c:ce:90:64:28:af:12:94:6b:1e:
             b3:f0:34:5c:e2:fb:79:d4:df:b5:5b:8f:c8:3e:5d:12:13:2f:
             aa:61:42:c5:4b:f9:3e:da:fc:ea:47:e8:4c:d0:cf:12:da:bf:
             f7:25:e5:a9:1e:be:1f:d2
    Response verify OK
    cert-00: good
            This Update: Sep 16 12:51:02 2021 GMT
            Next Update: Sep 23 12:06:02 2021 GMT
    OK: The file signature verification succeeded.
  • ERROR: Failed to verify the file signature

    If the utility fails to verify the signature, it is likely the signature file is corrupted. Administrators who experience the error message, "Failed to verify file signature" can download the signature file from IBM Fix Central a second time and confirm if the error repeats.

    What to do

    • Confirm the signature file is not zero bytes.
    • Download the signature file from IBM Fix Central and run the verify_signature utility a second time.
    • If you continue to experience errors, contact QRadar Support.
      Note: QRadar Support can verify on a lab appliance if the signature is posted to IBM Fix Central is valid. If you open a case, make sure you include the download link for the files you are attempting to validate from IBM Fix Central.
       
    Example output:
    Signature file 743_QRadar_FixPack2_2020.11.2.20210810221124.sfs.sig provided.
    Signed file 743_QRadar_FixPack2_2020.11.2.20210810221124.sfs provided.
    Certificate file certificate_bundle.pem provided.
    certificate_bundle.pem: OK
    Verification Failure
    ERROR: Failed to verify the file signature.
    Contact customer support or refer to the signing document at https://ibm.biz/qradarcodesigning.
  • ERROR: The IBM public certificate validation check failed.

    If the certificate and signature do not match, administrators can download the QRadar software and signature from IBM Fix Central or ensure they have the latest version of the codesigning.tgz bundle from IBM Fix Central. Software that does not pass validation is not trusted.

    The verify_signature utility checks the following conditions:

    • The certificate bundle valid and decodes properly.
      If the certificate bundle fails multiple times, download the codesigning.tgz to confirm you have the latest version. Optionally, you can manually test the certificates with the included instructions in the Additional information section of this technical note.
    • The signature file is valid and loads properly.
      If the signature file does not match, the software is untrusted. Download the latest codesigning bundle file from IBM Fix Central to confirm the signature is not corrupted. If you continue to experience errors, contact QRadar Support.
    • The modulus matches the signature and the certificate bundle.
      If the modulus does not match, the software is untrusted. Administrators can download the software again from IBM Fix Central or manually confirm that the certificates are valid with the included instructions in the Additional information section of this technical note.

    Example error of a bad certificate bundle:
    Signature file 743_QRadar_FixPack2_2020.11.2.20210810221124.sfs.sig provided.
    Signed file 743_QRadar_FixPack2_2020.11.2.20210810221124.sfs provided.
    Certificate file certificate_bundle.pem provided.
    unable to load certificates
    140215464757136:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:pem_lib.c:829:
    ERROR: The certificate bundle provided is not a trusted file.


     

  • Connection refused

    If you receive a connection refused error, you can verify you have access to http://oscp.digicert.com.

    Example error message when the appliance cannot verify signatures due to a network issue:

    Signature file 202161_QRadar_patchupdate-2021.6.1.20210910160507.sfs.sig provided.
    Signed file 202161_QRadar_patchupdate-2021.6.1.20210910160507.sfs provided.
    Certificate file certificate_bundle.pem provided.
    certificate_bundle.pem: OK
    Verified OK
    OK: The modulus of the public key and certificate are identical.
    curl: (7) Failed connect to ocsp.digicert.com:80; Connection refused
    ERROR: Unable to validate the certificate due to failure to connect to http://ocsp.digicert.com. 
    Please check your network policy.


    To confirm access

    1. Use SSH to log in to the QRadar Console as the root user.
    2. To confirm the Console and connect to DigiCert, type:
      curl -Is http://ocsp.digicert.com
      Example success output:
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Age: 1540
      Cache-Control: public, max-age=300
      Content-Type: application/ocsp-response
      Date: Fri, 17 Sep 2021 13:46:19 GMT
      Etag: "5f46cfe9-5"
      Last-Modified: Wed, 26 Aug 2020 21:11:05 GMT
      Server: ECS (dcb/7F3C)
      X-Cache: HIT
      Content-Length: 5

      Results
      If successful, a HTTP/1.1 200 OK is returned in the command line. If you experience any errors, contact your corporate firewall team to add an exception to http://ocsp.digicert.com.

Additional Information

Manually validating files are code signed

Administrators who want to manually run commands to confirm the output of the code signing tool can run the following commands to double check an output or confirm files are code signed by IBM.

  1. Using openssl, validate the certificates are trusted from IBM Fix Central. For example,
    openssl verify -x509_strict -untrusted chain0.pem certificate.pem
    The output of the file confirms the certificates are OK.
    image 9740
  2. To verify certificate was generated by IBM, type:
    openssl x509 -inform pem -in certificate.pem  -noout -subject -issuer -startdate -enddate
    Output
    image 9742
  3. To create a public key from certificate, type:
    openssl x509 -pubkey -noout -in certificate.pem > public.pem
  4. Verify the software against the signature file from IBM Fix Central.
    openssl dgst -sha256 -verify public.pem -signature <filename.sig> <software.sfs>
    The output confirms the software is valid.


    Note: An error might display during the certificate verification process if you do not have the DigiCert CA. If you do not have a DigiCert CA, you can add the DigiCert root CA to your CA path or you can add it to the verify command with the -CAfile option. The root cert needed is "DigiCert Assured ID Root CA", which can be obtained and verified from https://www.digicert.com/kb/digicert-root-certificates.htm.

About signature files

Code signed files allow administrators to confirm that software was compiled by IBM Development teams. As part of IBM's ongoing security procedures, all software posted to IBM Fix Central must be code signed. This policy allows organizations to confirm that the software was developed by IBM and not an outside threat actor by publishing the public certificate PEM files.

Confirming sha256 sums for a download

SHA256 sums confirm that the files match a known output, which can inform administrators if a file is altered or downloaded incorrectly. The purpose of a check of the sha256 sum is to confirm the integrity of the software against the value in the IBM sha256 file. QRadar Support typically advises users to validate the SHA256 sum before you install any software to validate the integrity of the download.

Procedure

  1. Download the QRadar Software from IBM Fix Central.
  2. Download the sha256 sum file.
  3. Copy the software and sha256 sum to the QRadar Console.
  4. To view the sha256 sum of the file, type:
    sha256 <filename>
  5. To confirm the sum matches the sha256 sum file provided by IBM.

    Results
    If the sums match, the file integrity and not corrupted when downloaded from IBM Fix Central. Administrators who want to confirm that the software was created by IBM and not modified by an outside source can use the validate_signature utility.

I cannot validate my files are code signed

Confirm you have the latest version of the code signing utility from IBM Fix Central. The public key required to validate files provided by IBM can expire. If the public key is expired, you can download the codesigning bundle from IBM Fix Central. As the public keys expire, the bundle is replaced on IBM Fix Central by the IBM Security team.

Troubleshooting connection refused issues to Digicert

If you receive a connection refused error, you can verify you have access to http://oscp.digicert.com from your QRadar Console.

Procedure

  1. Use SSH to log in to the QRadar Console as the root user.
  2. To confirm the Console and connect to DigiCert, type:
    curl -Is http://ocsp.digicert.com
    Example success output:
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Age: 1540
    Cache-Control: public, max-age=300
    Content-Type: application/ocsp-response
    Date: Fri, 17 Sep 2021 13:46:19 GMT
    Etag: "5f46cfe9-5"
    Last-Modified: Wed, 26 Aug 2020 21:11:05 GMT
    Server: ECS (dcb/7F3C)
    X-Cache: HIT
    Content-Length: 5
    Results
    If successful, a HTTP/1.1 200 OK is returned in the command line. If you experience any errors, contact your firewall team to add an exception to http://ocsp.digicert.com.

Document Location

Worldwide

[{"Type":"SW","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
21 September 2021

UID

ibm16450122