IBM Support

QRadar: How to prepare certificates for SAML integration

How To


Summary

This article provides the steps to prepare certificates to integrate QRadar® with SAML authentication.

Objective

QRadar administrators are able to integrate SAML authentication.

Environment

SAML authentication has strict requirements on certificates that are use for integration. Administrator must perform the following steps on Console's SSH as root.

Steps

  1. Verify the certificate and private key are matched pair.
    For a perfect pair, their modulus md5 hashes must match:
    openssl rsa -modulus -noout -in <private_key> | openssl md5
    openssl x509 -modulus -noout -in <public_cert> | openssl md5
    Example:
    [root@qradar newcerts]# openssl rsa -modulus -noout -in qradar.key | openssl md5
    06d8ced824079382d51043486101fe17
    [root@qradar newcerts]# openssl x509 -modulus -noout -in qradar.cert | openssl md5
    06d8ced824079382d51043486101fe17
  2. Verify that the certificate has "Key Encipherment" feature.
    Run the following command:
    openssl x509 -noout -text -in <public_cert>
    Look for session "X509v3 extensions" -> "X509v3 Key Usage". It must have "Key Encipherment" feature.
    Key Encipherment

    If not, ask PKI team to reissue a new certificate with "Key Encipherment" feature. Not having "Key Encipherment" feature, QRadar can produce the following error:
    Invalid_Cert_Usage
  3. Verify that the CRL URI is accessible from the QRadar Console.
    Use the same command as in step 2. Look for session "X509v3 extensions" -> "X509v3 CRL Distribution Points"
        X509v3 CRL Distribution Points:
            Full Name:
               URI:http://alpha.ibm.lab/r.crl
    Check that the console can access the URL.
    If the URI is not accessible, QRadar can generate the following error:
    [tomcat.tomcat] [[email protected] (9074) /console/do/qradar/SAMLAuthCertConfig] Caused by:
    [tomcat.tomcat] [[email protected] (9074) /console/do/qradar/SAMLAuthCertConfig] com.q1labs.frameworks.crypto.trustmanager.exceptions.Q1CRLException: Error in generating crl from URLhttp://alpha.ibm.lab/r.crl
    ...
    [tomcat.tomcat] [[email protected] (9074) /console/do/qradar/SAMLAuthCertConfig] Caused by:
    [tomcat.tomcat] [[email protected] (9074) /console/do/qradar/SAMLAuthCertConfig] java.net.ConnectException: Connection timed out (Connection timed out)
  4. Convert the private key to DER-encoded PKCS8 format.
    To import the private key, it must be in DER-encoded PKCS8 format.
    openssl pkcs8 -topk8 -inform PEM -outform DER -in <private_key> -out <private_key_DER> -nocrypt
    Example:
    [root@qradar newcerts]# openssl pkcs8 -topk8 -inform PEM -outform DER -in qradar.key -out qradar.DER.key -nocrypt
    Note: Importing private key not in DER-encoded PKCS8 format can produce the following error:
    qr742-3199-11153 tomcat[31103]: java.security.InvalidKeyException: could not DER encode: algid parse error, not a sequence
  5. Verify the full chain of certificates.
    Use the following command to verify the chain of certificate is valid.
    openssl verify -CAfile <rootCA_cert> -untrusted <intermediateCA_Cert> <public_cert>
  6. Combine certificates. SAML import certificate interface has only to two fields for CA certificates.
    SAML_certificate_import
    If the chain has more than one intermediate certificates, they must be combined into one file.
    Certificate_chain
     
    cat intermediateCA_2.cert intermediateCA.cert > intCA_bundle.cert

Result
The certificate saves in the user interface without an error. If you are unable to save your certificate after you complete the steps in this technical note, contact QRadar Support for assistance.

Additional Information


 

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
03 April 2023

UID

ibm16966242