How To
Summary
This article provides steps for when you need to change, add a new, or replace an expired TLS Syslog certificate in QRadar.
Objective
QRadar administrators are able to change, add new, or replace an expired TLSSyslog certificate in QRadar:
- If the target TLSSyslog is on QRadar on Cloud Console, you need to open a support case as described in article Overview of sending tlssylog to QRoC Console.
- The information described here is for QRadar SIEM (on-premises) or QRadar on Cloud (Data Gateway appliance) environment.
Environment
When you specify a certificate for a TLS Syslog log source, several options are available:
- Generated certificate (default).
- PEM certificate and private key.
- PKCS12 certificate chain and password.
- Choose from QRadar Certificate Store.
Tip: To manage or import new certificates, use the QRadar Certificate Management app.
Figure 1: If you are unsure of the certificate type configured, open your log source and confirm the Server Certificate Type setting.
The administrator needs to look at the corresponding session bellow for the chosen option
Steps
Before you begin
- It is recommended to have a good backup of all files in /opt/qradar/conf/trusted_certificates/ folder and keystore file /opt/qradar/conf/syslog-tls.keystore
- The default “Generated Certificate” is also used for WinCollect agent communication. Therefore, extra consideration must be taken when you make a change to this certificate.
- Root CA certificate must be copied to /etc/pki/ca-trust/source/anchors, following by running command 'update-ca-trust'
General steps to create a new certificate:
- Create a private key and Certificate Signing Request (CSR) as described at the article Creating SSL certificate signing request, specifying the necessary Common Name (CN).
- Submit CSR to an internal certificate authority (CA) or a commercial certificate provider and get a signed certificate. Normally, you receive your signed certificate in PEM format.
- Upload the signed certificate together with private key (from step 1) to QRadar in a temporary folder.
- To combine a full chain of certificates (certificate + rootCA + intermediateCA) into a single file.
cat <signed_cert_filename> [<intermediate_CA_filename>] <rootCA_filename> > cert-chain.pem
Option: Prepare PEM certificate and private key
If you select this option in the Log Source manage app, you must configure the file paths for the server certificate and the private key.
- For TLSSyslog to work, the private key must be in DER-encoded PKCS8 format. The command to convert:
openssl pkcs8 -topk8 -inform PEM -outform DER -in <your_private>.key -out <your_private>-DER.key -nocrypt
- Copy your prepared certificate and the "DER formatted" private key from Step 1 to /opt/qradar/conf/trusted_certificates/ folder.
- Configure your TLSSyslog log source to use the absolute path to the certificate and private files.
Option: Prepare PKCS certificate chain and password
If you select this option in the Log Source manage app, you must configure the file path for the PKCS bundle file and supply the password.
- PKCS12 is also known as an archive file format as it can store a bundle of certificate, rootCA, intermediateCA, and private key. To create a PKCS12 keystore, run the following command and provide a protection password as prompted.
openssl pkcs12 -export -in cert-chain.pem -inkey <your_private>.key -name “some_alias” -out <your_cert_file_name>.p12
- Copy the certificate bundle to /opt/qradar/conf/trusted_certificates/ folder.
- Configure your TLSSyslog log source to use the absolute path to the certificate and use the supplied password.
Option: Generated Certificate (the default TLS Syslog certificate):
Depend on the specific need, the administrator uses one of the following options:
- Replace the default TLSSyslog certificate with a custom one
- Prepare a PKCS12 bundle as for option "Prepare PKCS certificate chain and password" specifying 'syslog-tls' as the alias.
openssl pkcs12 -export -in cert-chain.pem -inkey <your_private>.key -name “syslog-tls” -out <your_cert_file_name>.p12
- Import the PKCS12 bundle into the TLSSyslog keystore.
keytool -importkeystore -destkeystore /opt/qradar/conf/syslog-tls.keystore -deststorepass syslog-tls -srcstoretype PKCS12 -srckeystore <full_path_to_your_pkcs12_file> -alias syslog-tls
- Answer Yes when prompted to overwrite the existing “syslog-tls” alias.
- Copy the combined PEM file and the "DER formatted" private key from earlier section "Option: Prepare PEM certificate and private key" in Step 1 to folder /opt/qradar/conf/trusted_certificates/ overwriting the existing ones.
- Prepare a PKCS12 bundle as for option "Prepare PKCS certificate chain and password" specifying 'syslog-tls' as the alias.
- Reset the default TLSSyslog certificate back to self-signed
- Run command to generate self-signed certificate
/opt/qradar/bin/syslog_tls_gen_cert.sh
- Run command to import it to TLSSyslog keystore
/opt/qradar/bin/syslog_tls_import_cert.sh
- Run command to generate self-signed certificate
- Reset the TLSSyslog keystore
Sometime, the TLS Syslog keystore contains old or expired certificates. Administrator can use keytool command to remove them. However, the quick way to reset it is:
- Remove keystore and the default TLSSyslog certificate
rm -v /opt/qradar/conf/syslog-tls.keystore rm -v /opt/qradar/conf/trusted_certificates/syslog-tls.*
- Restart ecs-ec-ingress service
systemctl restart ecs-ec-ingress
Results
QRadar re-creates the keystore, imports certificates from /opt/qradar/con/trusted-certificates/, and generates the default TLSSyslog certificate. The process of creating the keystore can take a little while. You can monitor the recreation with this command:watch "ls -ls /opt/qradar/conf/syslog-tls.keystore"
- Remove keystore and the default TLSSyslog certificate
Additional Information
- For the new certificate to take effect, launch the Log Source Management app and disable, then enable the log source.
- Check the new certificate:
openssl s_client -connect 127.0.0.1:<TLSsyslog_port> -showcerts | less
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
27 May 2024
UID
ibm16556510