IBM Support

QRadar: How to replace a TLS Syslog certificate

How To


Summary

This article provides steps for when you need to change, add a new, or replace an expired TLS Syslog certificate in QRadar.

Objective

QRadar administrators are able to change, add new, or replace an expired TLSSyslog certificate in QRadar:
  • If the target TLSSyslog is on QRadar on Cloud Console, you need to open a support case as described in article Overview of sending tlssylog to QRoC Console.
  • The information described here is for QRadar SIEM (on-premises) or QRadar on Cloud (Data Gateway appliance) environment.

Environment

When you specify a certificate for a TLSSyslog log source, several options are available:
  1. Generated Certificate (default).
  2. PEM Certificate and Private key.
  3. PKCS12 Certificate Chain and Password.
  4. Choose from QRadar Certificate Store.
    Tip: To manage or import new certificates, use the QRadar Certificate Management app.
     

Steps

Before you begin
  • It is recommended to have a good backup of all files in /opt/qradar/conf/trusted_certificates/ folder and keystore file /opt/qradar/conf/syslog-tls.keystore
  • The default “Generated Certificate” is also used for WinCollect agent communication. Therefore, extra consideration must be taken when you make a change to this certificate.
     
1. General steps to create a new certificate
  1. Create a private key and Certificate Signing Request (CSR) as described at article Creating SSL certificate signing request.
  2. Submit CSR to an internal certificate authority (CA) or a commercial certificate provider and get a signed certificate. Normally, you receive your signed certificate in PEM format.
  3. Upload the signed certificate together with private key (from step 1) to QRadar in a temporary folder.
  4. To combine a full chain of certificates (certificate + rootCA + intermediateCA) into a single file. 
    cat <signed_cert_filename> [<intermediate_CA_filename>] <rootCA_filename> > cert-chain.pem
2. Prepare PEM Certificate and Private key
  1. For TLSSyslog to work, the private key must be in DER-encoded PKCS8 format. The command to convert:
    openssl pkcs8 -topk8 -inform PEM -outform DER -in <your_private>.key -out <your_private>-DER.key -nocrypt
  2. Copy your prepared certificate and the private key to /opt/qradar/conf/trusted_certificates/ folder.
  3. Configure your TLSSyslog log source to use the absolute path to the certificate and private files.

3. Prepare PKCS Certificate Chain and Password
  1. PKCS12 is also known as an archive file format as it can store a bundle of certificate, rootCA, intermediateCA, and private key. To create a PKCS12 keystore,  run the following command and provide protection password as prompted.
    openssl pkcs12 -export -in cert-chain.pem -inkey <your_private>.key -name “some_alias” -out <your_cert_file_name>.p12
  2. Copy the certificate bundle to /opt/qradar/conf/trusted_certificates/ folder.
  3. Configure your TLSSyslog log source to use the absolute path to the certificate and use the supplied password.


4. Replace the default TLSSyslog certificate
QRadar Support recommends administrators install the QRadar Certificate Management app to import the certificate. All certificates are managed by the application and importing certificates is easier than the command line.

  1. Prepare a PKCS12 bundle as for option 3 specifying 'syslog-tls' as the alias.
    openssl pkcs12 -export -in cert-chain.pem -inkey <your_private>.key -name “syslog-tls” -out <your_cert_file_name>.p12
  2. Import the PKCS12 bundle into TLSSyslog keystore.
    keytool -importkeystore -destkeystore /opt/qradar/conf/syslog-tls.keystore -deststorepass syslog-tls -srcstoretype PKCS12 -srckeystore <full_path_to_your_pkcs12_file> -alias syslog-tls
  3. Answer yes when the prompt asks to overwrite the existing “syslog-tls” alias.
  4. Copy the combined PEM file and the private key to folder /opt/qradar/conf/trusted_certificates/ overwriting the existing ones.
5. Reset the default TLSSyslog certificate back to self-signed
  1. Run command to generate self-signed certificate
    /opt/qradar/bin/syslog_tls_gen_cert.sh
  2. Run command to import it to TLSSyslog keystore
    /opt/qradar/bin/syslog_tls_import_cert.sh
6. Reset the TLSSyslog keystore
Sometime, TLSSyslog keystore get filled with old or expired certificates. We can use keytool command to remove them. However, the quick way to reset it is:
  1. Remove keystore and the default TLSSyslog certificate
    rm -v /opt/qradar/conf/syslog-tls.keystore
    rm -v /opt/qradar/conf/trusted_certificates/syslog-tls.*
  2. Restart ecs-ec-ingress service
    systemctl restart ecs-ec-ingress
QRadar will re-create the keystore, import any in-use certificates from /opt/qradar/con/trusted-certificates/, and generate the default TLSSyslog certificate. The process of recreation of the keystore can take a little while. You can monitor the recreation with this command:
watch "ls -ls /opt/qradar/conf/syslog-tls.keystore"

Additional Information

  • For the new certificate to take effect, launch the Log Source Management app and disable, then enable the log source.
  • Check the new certificate:
    openssl s_client -connect 127.0.0.1:<TLSsyslog_port> -showcerts | less

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
01 November 2022

UID

ibm16556510