SSL Certificates
Secure Sockets Layer (SSL) is an industry standard security protocol is used by websites to protect online transactions. It provides communication privacy so that client/server applications can communicate in a way that is designed to prevent eavesdropping, tampering, and message forgery. To generate an SSL link, a web server requires an SSL certificate. SSL certificates are issued by internal or trusted third-party certifying authorities.
Browsers and operating systems include a preinstalled list of trusted certificates, which are installed in the Trusted Root Certification authorities store.
Self-signed certificates - A self-signed certificate provides basic security, enabling data encryption between the user and the application. Because self-signed certificates cannot be authenticated by any existing known root certificate authorities, users are warned about this unknown certificate and must accept it to proceed.
Internal CA signed certificates - Organizations that have their own internal root certificate authority (CA) can create a certificate by using that internal CA. This certificate is supported by JSA, and the internal root CA is also imported into the JSA environment.
Public CA / Intermediate CA signed - Certificates that are signed by known public CAs and intermediate certificates are supported by JSA.
Public signed certificates can be used directly in JSA, and certificates that are signed with Intermediate CA are installed by using both the signed certificate and the intermediate certificate to provide valid certificate functions.
An intermediate certificate is commonly used by organizations that create multiple SSL keys in their environment, and want to have them signed by a known commercial certificate vendor. When they use the intermediate key, they can then create sub-keys from this intermediate key. When this configuration is used,JSA must be configured with both the intermediate certificate and the host SSL certificate so that connections to the host can verify the full certificate path.
SSL Connections Between JSA Components
To establish all internal SSL connections between components, JSA uses the web server certificate that is preinstalled on theJSA Console.
All trusted certificates for JSA must meet the following requirements:
The certificate must be an X.509 certificate and have PEM base64 encoding.
The certificate must have a
.cert,.crt,.pem, or .der file extension.Keystore files that contain certificates must have the
.truststorefile extension.The certificate file must be stored in the /opt/qradar/conf/trusted_certificates directory.
Creating an SSL Certificate Signing Request with 2048-bit RSA Keys
Use SSH to log in to the JSA Console.
Generate a private key file by using the following command:
openssl genrsa -out qradar.key 2048Note:Do not use the private encryption options, because they can cause compatibility issues.
The qradar.key file is created in the current directory. Keep this file to use when you install the certificate.
Generate the certificate signing request (CSR) file.
The
qradar.csrfile is used to create the SSL Certificate, with an internal CA or commercial certificate authorities. Run the following command, and provide necessary information as prompted:openssl req -new -key qradar.key -out qradar.csrExample output:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:MyState Locality Name (eg, city) [Default City]:MyCity Organization Name (eg, company) [Default Company Ltd]:MyCompany Organizational Unit Name (eg, section) []:MyCompanyOrg Common Name (eg, your name or your server’s hostname) []:qradar.mycompany.com Email Address []:username@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
If you want to verify the information in the CSR before you send it, type the following command:
openssl req -noout -text -in qradar.csr
If incorrect information was entered, run the OpenSSL command again to re-create the CSR file.
Use the Secure File Transfer Protocol or another program to securely copy the CSR file to your computer.
Submit the CSR to your internal or commercial certificate authority for signing according to their instructions.
Note:The CSR is identified as a certificate in Apache format.
Creating a Multi-Domain (SAN) SSL Certificate Signing Request
Use SSH to log in to the JSA Console.
Create and save a
sancert.confconfiguration file containing the following information:[ req ] default_bits = 2048 # RSA key size encrypt_key = no # Protect private key default_md = sha256 # MD to use utf8 = yes # Input is UTF-8 string_mask = utf8only # Emit UTF-8 strings prompt = no # Prompt for DN distinguished_name = server_dn # DN template req_extensions = server_reqext # Desired extensions [ server_dn ] countryName = <country_or_region_code> # ISO 3166 stateOrProvinceName = <state_or_province> localityName = <city_or_locality> organizationName = <organization_name> organizationalUnitName = <organizational_unit_name commonName = <common_name> # Should match a SAN under alt_names [ server_reqext ] basicConstraints = CA:FALSE keyUsage = critical,digitalSignature,keyEncipherment extendedKeyUsage = serverAuth subjectKeyIdentifier = hash subjectAltName = @alt_names [alt_names] DNS.1 = qradar.example.com #Example DNS.2 = console.example.com #Example IP.3 = 192.0.2.0 #ExampleGenerate a private key and public certificate signing request (CSR) pair by using the following command:
openssl req -new -nodes -sha256 -out <csr_filename>.csr -config sancert.conf -keyout <privatekey_filename>.keyThe CSR file is used to create the SSL certificate, with either an internal CA or commercial certificate authorities The key file is created in the current directory. Keep this file to use when you install the certificate.
If you want to verify the information in the CSR before you send it, type the following command:
openssl req -noout -text -in <csr_filename>.csrIf incorrect information was entered, update the
sancert.confconfiguration file and do 3 again.Use the Secure File Transfer Protocol or another program to securely copy the CSR file to your computer.
Submit the CSR to your internal or commercial certificate authority for signing, according to their instructions.
Note:The CSR is identified as a certificate in Apache format.
Using Certificates That are Signed by an Internal Certificate Authority
If the certificate is issued by an internal certificate authority and not a commercial certificate provider, JSA must be updated to include the internal root certificate into the local certificate store for proper certificate validation. Root verification certificates are automatically included with the operating system.
Follow these steps to update the trust anchors root certificate store in RHEL on the JSA console and all JSA hosts.
Copy the CA's root certificate to /etc/pki/ca-trust/source/anchors/ on the JSA console.
Run the following commands at the SSH command line on the console:
/opt/qradar/support/all_servers.sh -p /etc/pki/ca-trust/source/anchors/<root_certificate> - r /etc/pki/ca-trust/source/anchors/opt/qradar/support/all_servers.sh -C update-ca-trust
Installing a New SSL Certificate
By default, JSA is configured with a Security Sockets Layer (SSL) certificate that is signed by an internal CA. When you log in to the Console for the first time, you are prompted with a warning message that your connection is not secure or is not private. You can replace the SSL certificate with your own selfsigned certificate, a private certificate authority (CA) signed certificate, or a public CA signed certificate.
You must have the following information:
The newly signed SSL CertificateFilefrom either your internal CA, or a public one.
The
qradar.keyprivate key to generate the CSR file.An intermediate certificate, if used by your certificate provider.
Note:If an intermediate certificate is used, run the install-ssl-cert.sh command with the -i flag to install both the new certificate and the intermediate certificate. When used, it prompts for three file paths:
SSLCertifficateFileSSLIntermediateCertificateFileSSLCertificateKeyFile
If you use a DER certificate, you must convert it to a PEM certificate by typing the following command line:
openssl x509 -in <cert>.der -inform der -outform
pem -out <cert>.pem
Use SSH to log in to the JSA Console as the root user. Install the certificate by entering the following command:
/opt/qradar/bin/install-ssl-cert.shAt the Path to Public Key File (SSLCertificateFile) prompt, enter the path to the Public Key File. For example:
/root/new.certs/cert.cert
At the Path to Private Key File (SSLCertificateKeyFile) prompt, enter the path to the Private Key File. For example:
/root/new.certs/qradar.key
Example output:
You have specified the following: SSLCertificateFile of /root/updated.certs/cert.cert SSLCertificateKeyFile of /root/updated.certs/qradar.key Re-configure Apache now (includes restart of httpd) (Y/[N])? y Backing up current SSL configuration ... (OK) Installing user SSL certificate ... (OK) Reloading httpd configuration: - Restarting httpd service ... (OK) Restarting services: - Stopping hostcontext ... (OK) - Restarting Tomcat ... (OK) - Starting hostcontext ... (OK) Updating deployment: - Copying certificate to managed hosts * 192.0.2.0 ...... (OK) - Restarting hostcontext on managed hosts * 192.0.2.0 ...... (OK) The event collection service must be restarted if WinCollect is used in your environment. Restart the event collection service now (y/[n])? y - Restarting ecs-ec-ingress on managed hosts * 192.0.2.0 ...... (OK) - Restarting ecs-ec-ingress on console ... (OK) Fri Jan 17 10:33:42 EST 2020 [install-ssl-cert.sh] OK: Install SSL Cert Completed [root@qavm215 ~]#
Note:Data collection for events and flows stops while services are restarted.
If you are installing a certificate that was not generated by JSA or reinstalling an overwritten certificate that was not generated by JSA, do the following:
Disable the CA framework from automatically replacing the certificate. Run the following command to disable the certificate check so that JSA does not overwrite the certificate:
sed -e "s@\"CertSkip\":[ \t]*\".*\"@\"CertSkip\": \"true\"@" -i /opt/qradar/ca/conf.d/httpd.jsonDisable the certificate monitoring through modifying the /opt/qradar/ca/conf.d/httpd.json with the line
"CertMonitorThreshold": 0
If the install-ssl-cert.sh script
finished with the OK: Install SSL Cert Completed message,
then the certificate was installed successfully. If you answered y
(yes) to the prompt to reconfigure Apache, then you're done. Otherwise,
you must deploy the full configuration. On the navigation menu, click Admin, then click Advanced > Deploy Full Configuration.
Reverting to Certificates that are Generated by the JSA Local CA
If you have issues with your certificate, such as an incorrect name or IP address, the expiration date passed, or the IP or hostname on your console changed, follow these steps to generate certificates that are signed by the JSA local certificate authority.
-
Back up the certificates that were installed previously that are not working.
Existing certificates are detected and reported when you run certificate generation, which can cause the generation process to stop.
mkdir /root/backup.certs/cp /etc/httpd/conf/certs/cert.* /root/backup.certs/ Update the following items in the /opt/qradar/ca/conf.d/httpd.json file:
Set CertMonitorThreshold back to its original value. If the original value is not known, remove from the file so that the defaults are used.
Set CertSkip to false.
Run the /opt/qradar/ca/bin/install_qradar_ssl_cert.sh command to generate new certificates.