How To
Summary
Certificates in QRadar can expire. There are specific steps that are required before and after you reset the certificates to ensure that services that use those certificates work correctly.
Objective
Steps
To view the files and their progress, tail the appropriate logs located in the /var/log/ca directory.
Open a terminal session to the Console as root and run the following commands.
screen [enter] cd /root OR 7.5.0 UP8+ tmux [enter] cd /rootNote: If you skip this step and your session times out, you must reset the certificates again.
Run the following command to clear the certificate signing requests.
/opt/qradar/support/clear_csr.pyWait until all of the files are removed and re-created. Once this step is completed, run one of the following options:
Using the default QRadar Local CA certificate
rm -rf /opt/qradar/ca/certs/*; /opt/qradar/ca/bin/reset-qradar-ca.sh all --resetUsing a Custom or non-QRadar CA certificate
Example: Verisign, GoDaddy, ...sed -e "s@\"CertSkip\":[ \t]*\".*\"@\"CertSkip\":\"true\"@" -i /opt/qradar/ca/conf.d/httpd.json; rm -rf /opt/qradar/ca/certs/*; /opt/qradar/ca/bin/reset-qradar-ca.sh all --reset
In the examples, the sed command modifies the file httpd.json by changing the value of the CertSkip key from its original value. The value is set to false or true depending on the type of certificates that we intend to change. For a deployment that uses QRadar CA certificates, the value is changed to false. In a deployment that uses a Custom CA certificate, the value is set to true. This certificate is a Custom CA certificate from a verified certificate authority, and we do not want to change or replace this certificate.
When the command completes, a restart of services is required. During the certificate creation, the keystore is updated with the new certificates. A Deploy Full Configuration is necessary after a restart of those services.Stop the services, clear out the tomcat cache and restart the services.
a) Execute the following commands on the console from version 7.4.3 to 7.5.0 UP7.systemctl stop hostcontext tomcat hostservices; rm -rf /opt/tomcat/work/Catalina; systemctl restart conman traefik docker; systemctl daemon-reload; systemctl start hostservices tomcat hostcontext; $(locate wait_for_start.sh | tail -1)b) Execute following commands on the console for version 7.5.0 UP8+ and so on
systemctl stop hostcontext tomcat hostservices; rm -rf /opt/tomcat/work/Catalina; systemctl restart conman traefik podman; systemctl daemon-reload; systemctl start hostservices tomcat hostcontext; $(locate wait_for_start.sh | tail -1)
Note: The provided command stops the application framework services, hostcontext, tomcat, and hostservices. The 'rm -rf /opt/tomcat/work/Catalina' command removes the Catalina directory where Tomcat cache is stored. The Tomcat cache is rebuilt automatically when services start, so it is safe to remove these files.If an AppHost is connected to the deployment, stop and start the following services on the AppHost.
a) Execute the following commands on the console from version 7.4.3 to 7.5.0 UP7.ssh <apphost> systemctl stop hostcontext hostservices; systemctl restart conman traefik docker; systemctl daemon-reload; systemctl start hostservices hostcontext; $(locate wait_for_start.sh | tail -1)b) Execute following commands on the console for version 7.5.0 UP8+ and so on
ssh <apphost> systemctl stop hostcontext hostservices; systemctl restart conman traefik podman; systemctl daemon-reload; systemctl start hostservices hostcontext; $(locate wait_for_start.sh | tail -1)- To apply the changes to all appliances, you must complete a Deploy Full Configuration from the Console. For more information, see QRadar: Impact of Deploy Full Configuration on events, flows, and offenses.
- Open the console UI by navigating to https://<ip-address>/console.
- Log in to the QRadar console as an administrator.
- Click the Admin tab.
- Click Advanced > Deploy Full Configuration.
- When prompted, click Continue.
Results
After the system completes the Deploy Changes, the system is ready to use those certificates. To confirm the certificates have all be reset successfully:
For Qradar 7.4.2+, run the following command on the console.
for i in $(/opt/qradar/ca/bin/si-qradarca list -print | grep -v /etc/httpd-qif/tls//httpd-qif.cert | grep -v /etc/ziptie-server/tls/certs/ziptie-server.cert | awk -F, '{print $4}' | sort | uniq); do echo $i; openssl verify -CAfile /etc/pki/tls/cert.pem $i; done
For Qradar 7.5.0 UP8+, run the following command on the console.
for i in $(/opt/qradar/ca/bin/si-qradarca list -print | grep -v /etc/ziptie-server/tls/certs/ziptie-server.cert | grep -v /etc/httpd-qrm/tls/cert.cert | awk -F, '{print $4}' | sort | uniq); do echo $i; openssl verify -CAfile /etc/pki/tls/cert.pem $i; done
A list of certificates that are changed as a result of this process looks similar to the following:
/etc/httpd/conf/certs/cert.cert
/etc/conman/tls/conman_ca.crt
/etc/conman/tls/conman.cert
/etc/tomcat/tls/conman/tomcat-client-conman.cert
/etc/docker-distribution/tls/docker-distribution_ca.crt
/etc/docker-distribution/tls/docker-distribution.cert
/etc/docker/tls/registry/docker-client-registry.cert
/opt/qradar/conf/SAMLAuthentication/SP/QRadarSAML_ca.crt
/opt/qradar/conf/SAMLAuthentication/SP/QRadarSAML.crt
/etc/docker/tls/si-docker_ca.crt
/etc/docker/tls/si-docker.cert
/etc/traefik/tls/docker/traefik-client-docker.cert
/etc/traefik/tls/traefik_ca.crt
/etc/traefik/tls/traefik.cert
/etc/tomcat/tls/traefik/tomcat-client-traefik.cert
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
10 March 2025
UID
ibm16989385