IBM Support

QRadar: Manually creating syslog-tls.keystore entries using custom Intermediate Certificates

Question & Answer


Question

How do you create a syslog-tls.keystore by using a custom Intermediate Certificate?

Answer

Procedure to create a custom syslog-tls.keystore.

Required to create a custom keystore:

  • ca.crt - PEM file of CA cert
  • ia.crt - PEM file of intermediate cert
  • Server.crt - PEM file of server cert
  • Server.key - PEM key of server cert
  • export password - syslog-tls
  • 1. Create a PEM with CA and Intermediate certificate.
    cat ca.crt ia.crt > ca_certs.pem

    2. Convert the server certificate to pkcs12 that uses the combined CA and Intermediate certificates.
    openssl pkcs12 -chain -CAfile ca_certs.pem -certfile ia.crt -export -out Server.p12 -in Server.crt -inkey Server.key

    3. Delete the old syslog-tls alias from the keystore if present using the keytool command.
    keytool -delete -alias syslog-tls -keystore /opt/qradar/conf/syslog-tls.keystore -storepass syslog-tls

    4. Verify that the keystore alias has been removed.
    keytool -list -v -keystore /opt/qradar/conf/syslog-tls.keystore

    1. When Prompted enter the keystore password syslog-tls.
    2. If removed a similar message should be displayed.
      Keystore type: jks
      Keystore provider: IBMJCE
      Your keystore contains 0 entries

    5. Create the keystore to go into /opt/qradar/conf/syslog-tls.keystore
    keytool -v -importkeystore -srckeystore Server.p12 -srcstoretype PKCS12 -destkeystore /opt/qradar/conf/syslog-tls.keystore -deststoretype JKS
    1. When prompted enter the keystore password syslog-tls.
    2. Reenter the keystore password syslog-tls.
    3. Enter the source keystore password systog-tls.
      The dialog upon completion should look similar to this:
      Entry for alias 1 successfully imported.
      Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
      [Storing /opt/qradar/conf/syslog-tls.keystore]

    6. Rename the alias '1' to 'syslog-tls'
    keytool -changealias -keystore /opt/qradar/conf/syslog-tls.keystore -alias 1 -destalias syslog-tls
    Enter the keystore password syslog-tls

    7. Verify the keystore certificate
    keytool -list -v -keystore /opt/qradar/conf/syslog-tls.keystore
    Enter keystore password syslog-tls

    Keystore type: JKS
    Keystore provider: SUN

    Your keystore contains 1 entry
    Alias name: syslog-tls
    Creation date: 24-Mar-2017
    Entry type: PrivateKeyEntry
    Certificate chain length: 3
    Certificate[1]:
    Owner: CN=172.16.192.204, OU=QRadar, O=IBM, L=, ST=, C=CA
    Issuer: OU=IBM Qradar Intermediate CA, O=IBM, L=, ST=, C=CA
    Serial number: 1
    Valid from: Fri Mar 24 08:48:52 ADT 2017 until: Sun Mar 24 08:48:52 ADT 2019
    Certificate fingerprints:

    MD5:44:63:08:4B:06:D1:D9:1B:1E:C9:F1:D0:0E:50:77:84
    SHA1: 06:0B:EA:64:A9:E5:90:E2:B3:FC:B6:2A:FD:F6:CF:7F:E9:00:1A:45
    SHA256: 63:C8:29:C1:EA:0C:B8:0C:4C:A7:3B:B4:78:90:D4:A4:2C:3A:B8:10:C4:A9:E3:91:94:C1:12:5F:00:3F:EF:AD
    Signature algorithm name: SHA1withRSA
    Version: 1
    Certificate[2]:
    Owner: OU=IBM Qradar Intermediate CA, O=IBM, L=, ST=, C=CA
    Issuer: OU=IBM QRadar CA, O=IBM, L=, ST=, C=CA
    Serial number: 1
    Valid from: Fri Mar 24 08:42:19 ADT 2017 until: Sun Mar 24 08:42:19 ADT 2019
    Certificate fingerprints
    MD5: 6C:1F:07:34:AE:23:C2:F1:8F:3B:51:C0:F8:F7:5D:3F
    SHA1: CD:31:B4:92:0A:9E:53:80:B7:47:0E:B9:95:41:19:FC:BD:93:EB:DF
    SHA256: DA:4C:90:F7:29:5C:73:D9:16:28:94:81:F1:68:FB:48:6F:CB:63:5C:46:D7:09:51:A4:BB:FF:D0:90:A5:B8:43
    Signature algorithm name: SHA1withRSA
    Version: 1
    Certificate[3]:
    Owner: OU=IBM QRadar CA, O=IBM, L=, ST=, C=CA
    Issuer: OU=IBM QRadar CA, O=IBM, L=, ST=, C=CA
    Serial number: e74ea5cdc50ab556
    Valid from: Fri Mar 24 08:42:10 ADT 2017 until: Thu Mar 24 08:42:10 ADT 2022
    Certificate fingerprints:
    MD5: 21:1F:AA:08:12:2A:FC:E2:6F:C6:62:3F:91:FE:2B:8B
    SHA1: AC:76:6E:52:C0:BE:98:EA:E8:ED:0C:49:40:36:BF:B7:62:24:E3:F8
    SHA256: 0D:6B:6C:02:A2:5C:D0:C8:0C:AB:F0:28:70:4D:DD:5B:F8:F9:B6:82:34:84:DB:7A:A9:88:9A:9C:5A:9A:A1:03
    Signature algorithm name: SHA1withRSA
    Version: 3

    8. Log in to the QRadar User Interface.

    9. Click Admin tab > Log Sources icon.

    10. Locate your TLS Syslog Source.

    11. Click Disable then Enable.


Results: You can now use your TLS Syslog log source with your new syslog-tls.keystore.


Where do you find more information?




[{"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"Admin Console","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2;7.3","Edition":""}]

Document Information

Modified date:
16 June 2018

UID

swg22010606