IBM Support

QRadar: How to reset certificates

How To


Summary

Certificates in QRadar can expire. There are specific steps that are required before and after you reset the certificates to ensure that services that use those certificates work correctly.

Objective

To assist customers in resetting QRadar Certificates by following the required commands.

Steps

In 7.4.3 or later, the log files that were previously displayed the progress of the certificate creation are now located in /var/log/ca.
To view the files and their progress, tail the appropriate logs located in the /var/log/ca path.
  1. Open a terminal session to the Console as root and run the following commands.
    screen [enter]
       cd /root
    
    or 
    
    tmux [enter]
       cd /root
    Note: If you skip this step and your session times out, you must reset the certificates again.
  2. Run the following command to clear the certificate signing requests. 
    /opt/qradar/support/clear_csr.py
    Wait until all of the files are removed and re-created. Once this step is completed, run one of the following options: 
    1. Using the default QRadar CA certificate 
      sed -e "s@\"CertSkip\":[ \t]*\".*\"@\"CertSkip\":\"false\"@" -i /opt/qradar/ca/conf.d/httpd.json; rm -rf /opt/qradar/ca/certs/*; /opt/qradar/ca/bin/reset-qradar-ca.sh all --reset
    2. Using a Custom or non-QRadar CA certificate 
      Example: Verisign, GoDaddy, ...
      sed -e "s@\"CertSkip\":[ \t]*\".*\"@\"CertSkip\":\"true\"@" -i /opt/qradar/ca/conf.d/httpd.json; rm -rf /opt/qradar/ca/certs/*; /opt/qradar/ca/bin/reset-qradar-ca.sh all --reset
      
    In the examples, the sed command modifies the file httpd.json by changing the value of the CertSkip key from its original value. The value is set to false or true depending on the type of certificates that we intend to change. For a deployment that uses QRadar CA certificates, the value is changed to false. In a deployment that uses a Custom CA certificate, the value is set to true. This certificate is a Custom CA certificate from a verified certificate authority, and we do not want to change or replace this certificate.
    When the command completes, a restart of services is required. During the certificate creation, the keystore is updated with the new certificates. A Deploy Full Configuration is necessary after a restart of those services.
  3. Stop the services, clear out the tomcat cache and restart the services. 
    systemctl stop hostcontext tomcat hostservices; rm -rf /opt/tomcat/work/Catalina; systemctl restart conman traefik docker; systemctl daemon-reload; systemctl start hostservices tomcat hostcontext; $(locate wait_for_start.sh | tail -1)
    Note: The provided command stops the application framework services, hostcontext, tomcat, and hostservices. The 'rm -rf /opt/tomcat/work/Catalina' command removes the Catalina directory where Tomcat cache is stored. The Tomcat cache is rebuilt automatically when services start, so it is safe to remove these files. 
  4. If an AppHost is connected to the deployment, stop and start the following services on the AppHost.
    ssh <apphost>
    systemctl stop hostcontext hostservices; systemctl restart conman traefik docker; systemctl daemon-reload; systemctl start hostservices hostcontext; $(locate wait_for_start.sh | tail -1)
  5. To apply the changes to all appliances, you must complete a Deploy Full Configuration from the Console. For more information, see QRadar: Impact of Deploy Full Configuration on events, flows, and offenses.
    • Open the console UI by navigating to https://<ip-address>/console.
    • Log in to the QRadar console as an administrator.
    • Click the Admin tab.
    • Click Advanced > Deploy Full Configuration.
    • When prompted, click Continue.
      deploy
       
    Results
    After the system completes the Deploy Changes, the system is ready to use those certificates.
    A list of certificates that are changed as a result of this process looks similar to the following: 
    /etc/httpd/conf/certs/cert.cert
    /etc/conman/tls/conman_ca.crt
    /etc/conman/tls/conman.cert
    /etc/tomcat/tls/conman/tomcat-client-conman.cert
    /etc/docker-distribution/tls/docker-distribution_ca.crt
    /etc/docker-distribution/tls/docker-distribution.cert
    /etc/docker/tls/registry/docker-client-registry.cert
    /opt/qradar/conf/SAMLAuthentication/SP/QRadarSAML_ca.crt
    /opt/qradar/conf/SAMLAuthentication/SP/QRadarSAML.crt
    /etc/docker/tls/si-docker_ca.crt
    /etc/docker/tls/si-docker.cert
    /etc/traefik/tls/docker/traefik-client-docker.cert
    /etc/traefik/tls/traefik_ca.crt
    /etc/traefik/tls/traefik.cert
    /etc/tomcat/tls/traefik/tomcat-client-traefik.cert
      

         
   

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSV4BL","label":"IBM QRadar"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.4.0;7.5.0"}]

Document Information

Modified date:
06 December 2023

UID

ibm16989385