環境
CentOS Stream release 9 minimal
DLC 1.8.4-1
オンプレ QRadar 7.5.0
概要図
自分自身の理解向上も含め、わかりずらい証明書周りを図にしてみました。
CentOSのインストール
SElinuxを無効化します。
[root@dlc ~]# grubby --update-kernel ALL --args 'selinux=0'
[root@dlc ~]# getenforce
Disabled
以下の手順を進めるためには、IBMidを持っていることを確認します。
DLCのダウンロード
Google等で、"IBM fix Central"と検索するとたどり着けるサイトです。
以下のように商品検索します。
次へ進むをクリックします。
DLCをクリックします。
DLCのインストーラが表示されます。
FTPS/SFTP,HTTPSでもファイルダウンロードできますが、タイムアウトする場合ああるので、Download Directorでファイルをダウンロードをおすすめします。
Javaのダウンロード
IBMサポートページでJavaを検索します。
Installable package ibm-java-x86_64-sdk-8.0-8.15.x86_64.rpmをクリックします。
DLC での作業
ダウンロードしたDLCとJavaのrpmファイルをWinSCP等でLinuxにアップロードします。
CentOSにJavaのインストール
[root@dlc ~]# rpm -ivh ibm-java-x86_64-sdk-8.0-8.15.x86_64.rpm
Verifying... ################################# [100%]
Preparing... ################################# [100%]
Updating / installing...
1:ibm-java-x86_64-sdk-8.0-8.15 ################################# [100%]
CentOSにDLCのインストール
[root@dlc ~]# rpm -ivh dlc-service-1.8.4-1.noarch.rpm
warning: dlc-service-1.8.4-1.noarch.rpm: Header V4 RSA/SHA256 Signature, key ID 322ccbc5: NOKEY
Verifying... ################################# [100%]
Preparing... ################################# [100%]
Updating / installing...
1:dlc-service-0:1.8.4-1 ################################# [100%]
The DLC Instance ID: 16f3dec8-d5ac-4d34-9810-e559d5ccae17
Generating ...
Finished generating ...
Creating keystore copy ...
Re-keying ...
Processing PROPERTIES config group
All keys updated with new MKS, rekey has finished.
Finished creating keystore copy ...
redhat_release: CentOS Stream release 9
Cleaning up
Created symlink /etc/systemd/system/multi-user.target.wants/dlc.service → /usr/lib/systemd/system/dlc.service.
DLC verion:1.8.4 is installed and running as a service
Disconnected Log Collector uses incoming and outgoing ports that must be open in the firewalld service daemon. See the Disconnected Log Collector Guide for information about port usage.
CentOSのfirewallルール設定
[root@dlc ~]# firewall-cmd --zone=public --add-port=514/tcp --permanent
success
[root@dlc ~]# firewall-cmd --zone=public --add-forward-port=port=514:proto=tcp:toport=1514 --permanent
success
[root@dlc ~]# firewall-cmd --reload
success
[root@dlc ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens192
sources:
services: cockpit dhcpv6-client ssh
ports: 514/udp 514/tcp
protocols:
forward: yes
masquerade: no
forward-ports:
port=514:proto=tcp:toport=1514:toaddr=
source-ports:
icmp-blocks:
rich rules:
[root@pps0309 ~]#
認証局の設定ファイル作成
Linuxに最初から入っているopensslを使って認証局を作っていきます。
認証局用で作成したファイルをまとめるディレクトリを作成します。
[root@dlc ~]# mkdir -p /rootCA
rootのみがアクセスできるようにパーミッションを入れます。
[root@dlc ~]# chmod 700 /rootCA
元のopenssl.cnfをコピーします。
[root@dlc ~]# cp /etc/pki/tls/openssl.cnf /rootCA/openssl-ca.cnf
実行ディレクトリを移動します。
[root@dlc ~]# cd /rootCA
openssl.cnf(openssl-ca.cnf)をカスタマイズします。期限は10年とします。
[root@dlc ~]# vi openssl-ca.cnf
以下はそのまま貼り付けるのではなく、差分を確認して更新します。
-は変更前、+は変更後
xxxは任意の値に変更します。
[ CA_default ]
- dir = /etc/pki/CA
+ dir = /rootCA
- #unique_subject = no
+ unique_subject = no
- default_days = 365
+ default_days = 3650
[ policy_match ]
- countryName = match
+ countryName = optional
- stateOrProvinceName = match
+ stateOrProvinceName = optional
- organizationName = match
+ organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
countryName = Country Name (2 letter code)
- countryName_default = XX
+ countryName_default = JP ←国名
stateOrProvinceName = State or Province Name (full name)
- #stateOrProvinceName_default = Default Province
+ stateOrProvinceName_default = Tokyo ←首都
localityName = Locality Name (eg, city)
localityName_default = Default City
0.organizationName = Organization Name (eg, company)
- 0.organizationName_default = Default Company Ltd
+ organizationName_default = Example Ltd ←会社名等
organizationalUnitName = Organizational Unit (eg, division)
- #organizationalUnitName_default =
+ organizationalUnitName_default = operation ←部署名等
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default =
emailAddress = Email Address
emailAddress_default =
[req]
- #req_extensions = v3_req
+ req_extensions = v3_req
[ usr_cert ]
# 以下の4行なければ追加
+ basicConstraints=CA:FALSE
+ keyUsage = digitalSignature, keyAgreement
+ extendedKeyUsage =clientAuth,serverAuth
+ subjectKeyIdentifier=hash
+ authorityKeyIdentifier=keyid,issuer
[ v3_req ]
# 以下の3行なければ追加
+ extendedKeyUsage = clientAuth,serverAuth
+ basicConstraints = CA:FALSE
+ keyUsage = digitalSignature, keyAgreement
[ v3_ca ]
# 以下の4行なければ追加
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid:always,issuer
+ basicConstraints = critical, CA:true
+ keyUsage = keyCertSign, cRLSign
データベース用のファイルを作成します。署名する度に更新されていきます。
[root@xxx rootCA]# touch index.txt
リビジョン管理のため'01'と入れます。次回は'02'と更新します。
[root@xxx rootCA]# echo '01' > serial
新しい証明書を保存するディレクトリを作成します。
[root@xxx rootCA]# mkdir -p /rootCA/newcerts
root証明書
DLCで使う秘密鍵を作成します。パスワードはここでしか使いませんが安全な場所に記載します。
[root@dlc rootCA]# openssl genrsa -des3 -out ./rootCA.key 2048
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
rootしかアクセスできないようにパーミッションを設定します。
[root@dlc rootCA]# chmod 700 rootCA.key
秘密鍵の内容を確認します。
[root@dlc rootCA]# openssl rsa -text -noout -in rootCA.key
Enter pass phrase for rootCA.key:
Private-Key: (2048 bit, 2 primes)
root証明書を作成します。(後の工程でpem形式に変換してQRadarに送り込みます)
前工程で作成したopenssl-ca.cnfの内容が出てくるのですべてEnterで進めます。
[root@dlc rootCA]# openssl req -new -x509 -days 36500 -sha256 -key ./rootCA.key -out ./rootCA.crt -config /rootCA/openssl-ca.cnf
Enter pass phrase for ./rootCA.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [TOKYO]:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Example Ltd]:
Organizational Unit Name (eg, section) [operation]:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
この時点で以下のファイルが生成されていることを確認します。
[root@dlc rootCA]# ls
index.txt newcerts openssl-ca.cnf rootCA.crt rootCA.key serial
CSR作成
認証局ディレクトリに移動します。
[root@dlc rootCA]# cd /rootCA
DLCアプリに入っているスクリプトを実行してClient CSRを作成します。
[root@dlc rootCA]# /opt/ibm/si/services/dlc/current/script/generateCertificate.sh -csr -2k
Enter 2-letter Country Code:JP
Enter State or Province Name:TOKYO
Enter City Name:Chuoku
Enter Organization Name:example ltd
Enter Organization Unit Name:operation
csrcontent=[ req ]
default_bits = 2048 # RSA key size
encrypt_key = no # Protect private key
default_md = sha256 # MD to use
utf8 = yes # Input is UTF-8
string_mask = utf8only # Emit UTF-8 strings
prompt = no # Prompt for DN
distinguished_name = client_dn # DN template
req_extensions = client_reqext # Desired extensions
[ client_dn ]
countryName = 'JP'
stateOrProvinceName = 'TOKYO'
localityName = 'Chuoku'
organizationName = 'example ltd'
organizationalUnitName = 'operation'
commonName = 'a7a4bfb5-5c57-42b1-81af-801695091793'
[ client_reqext ]
keyUsage = critical,digitalSignature,keyAgreement
extendedKeyUsage = clientAuth
subjectKeyIdentifier = hash
.....+...+..+....+.....+......+.......+.....+.+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+............+...+.....+....+...+.....+.+.....+.........+.+..+...+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+...+....+........+....+.....+...+...+.......+...+.....+....+...+...+..+......+......+....+.....+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
...+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+...+...............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+.........+......+......+..+..................+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
CSR file created: /opt/ibm/si/services/dlc/keystore/a7a4bfb5-5c57-42b1-81af-801695091793/dlc-client.csr
作成されたdlc-client.csrを認証局ディレクトリにコピーしておきます。
'<UUID>'は前工程で作成される毎回変わる乱数です。この例では、[a7a4bfb5-5c57-42b1-81af-801695091793]になります。
[root@dlc rootCA]#cp /opt/ibm/si/services/dlc/keystore/<UUID>/dlc-client.csr /rootCA
DLCで作成したClient証明書を認証局で署名します。
[root@dlc rootCA]# openssl ca -in dlc-client.csr -keyfile /rootCA/rootCA.key -cert /rootCA/rootCA.crt -out dlc-client.crt -config /rootCA/openssl-ca.cnf
Using configuration from /rootCA/openssl-ca.cnf
Enter pass phrase for /rootCA/rootCA.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Feb 16 01:26:22 2024 GMT
Not After : Feb 13 01:26:22 2034 GMT
Subject:
countryName = JP
stateOrProvinceName = TOKYO
organizationName = example ltd
organizationalUnitName = operation
commonName = a7a4bfb5-5c57-42b1-81af-801695091793
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Agreement
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Subject Key Identifier:
45:11:6A:38:0A:02:E1:A3:40:1B:A5:C3:02:91:45:5E:40:B9:90:28
X509v3 Authority Key Identifier:
C0:70:5B:61:B6:79:A7:AE:8F:67:B1:2E:B5:1E:EF:8C:90:B3:EB:B3
Certificate is to be certified until Feb 13 01:26:22 2034 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
crtファイルをderファイルに変換します。
[root@dlc rootCA]# openssl x509 -in dlc-client.crt -out dlc-client.der -outform DER
derファイルをpemに変換します。
[root@dlc rootCA]# openssl x509 -in dlc-client.der -inform DER -out dlc-client.pem -outform pem
署名した証明書が正常に表示できるか確認します。
[root@dlc rootCA]# openssl x509 -text -noout -in dlc-client.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = JP, ST = TOKYO, L = Default City, O = Example Ltd, OU = operation
Validity
Not Before: Feb 16 01:26:22 2024 GMT
Not After : Feb 13 01:26:22 2034 GMT
Subject: C = JP, ST = TOKYO, O = example ltd, OU = operation, CN = a7a4bfb5-5c57-42b1-81af-801695091793
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e5:82:f6:69:6d:57:26:26:8a:e5:72:44:77:27:
ea:88:81:c5:b3:fa:57:e7:c9:f0:ef:0a:2f:ba:dc:
83:33:70:eb:b3:bb:3f:71:34:e7:d4:15:1a:2a:51:
f7:9f:a2:71:a5:8a:fd:93:ca:98:c2:4b:ae:13:63:
be:6e:6e:bd:7a:ee:8f:bf:97:e9:a2:66:39:cc:e3:
b7:65:c2:1e:64:d1:48:1e:38:14:ab:51:2e:9b:18:
f2:e1:f3:27:82:c9:f3:02:8f:37:37:e7:7a:45:c6:
35:f5:f2:ed:12:58:2e:28:83:23:07:4d:4b:4e:da:
a9:42:2e:10:8f:18:a2:2e:1c:99:3c:c6:5f:9d:fe:
8b:eb:ce:f8:f1:9a:f2:5c:71:da:df:e3:fa:d7:c3:
1e:6f:71:c4:b2:2e:29:c4:94:3f:7f:65:a6:90:fc:
b1:89:36:4f:8c:fc:49:09:23:81:c5:22:75:bc:b3:
f9:81:38:f1:f4:91:53:89:4b:20:f1:e4:13:d7:c7:
bd:b2:81:1c:1e:bf:6f:ae:cf:f6:2d:73:d8:97:eb:
f1:f2:c5:4d:e5:7d:f5:da:20:eb:76:56:c1:06:fa:
4e:6c:b0:70:d5:fd:22:fb:f5:e6:17:66:e5:7c:0b:
71:eb:13:5f:cb:1b:70:5e:39:f7:10:8b:86:d3:d0:
40:97
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Agreement
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Subject Key Identifier:
45:11:6A:38:0A:02:E1:A3:40:1B:A5:C3:02:91:45:5E:40:B9:90:28
X509v3 Authority Key Identifier:
C0:70:5B:61:B6:79:A7:AE:8F:67:B1:2E:B5:1E:EF:8C:90:B3:EB:B3
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
48:46:2f:cf:1c:0c:99:6b:b8:6a:d9:e0:23:44:36:d0:69:f2:
3b:08:0d:b8:24:b4:d7:94:49:63:ae:01:71:8d:87:3e:9c:b2:
82:39:d4:7d:c9:aa:27:a7:e8:2f:14:78:9f:3f:e1:f4:7d:a9:
34:e6:9a:ea:e5:08:59:04:17:91:e1:47:03:64:06:5c:49:53:
79:6f:12:33:45:02:9e:aa:9e:6b:de:da:74:a4:bf:91:34:03:
c6:9c:f4:93:58:32:0e:12:80:5c:b9:46:62:a3:2e:fe:74:0b:
0b:dc:d5:b2:9c:ad:c1:5f:c2:e7:57:b5:f1:09:17:81:0a:51:
d1:42:13:24:b3:7a:2d:a9:a9:f4:71:e4:24:b8:2a:55:0d:7f:
79:c5:89:06:a4:b3:46:e4:63:cb:d3:23:56:09:b3:78:df:8d:
8d:d7:98:ee:8d:0e:b1:31:79:21:4c:5c:99:8b:a1:af:65:19:
c5:fa:57:fb:9e:5a:3c:bc:93:e5:d0:61:6c:ca:0e:36:5e:28:
ef:8e:af:1e:3c:bb:6b:b9:48:22:db:91:ab:54:de:8d:44:b6:
12:78:bf:f5:af:78:8d:8a:1e:79:d5:88:a7:d3:59:df:2e:37:
7d:ee:51:8d:30:3d:6c:2b:63:b6:ce:c2:57:fb:32:e6:88:99:
d7:ce:ca:da
作成したdlc-client.pemファイルをtmpディレクトリにコピーします。
[root@dlc rootCA]# cp dlc-client.pem /tmp
pfxファイルを生成します。nullエラーになる場合には、openssl-ca.cnfを再度確認します。またOSがCentOS9.2以上の場合にはSElinuxをOFFにしてから再度実行します。
[root@dlc rootCA]# /opt/ibm/si/services/dlc/current/script/generateCertificate.sh -p12 /tmp/dlc-client.pem
Enter Export Password:
Verifying - Enter Export Password:
Openssl Version: OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)
The trustStore file /opt/ibm/si/services/dlc/keystore/dlc-client.pfx has been generated
pfxファイルのタイムスタンプが更新されていることを確認します。
[root@dlc rootCA]# ls -la /opt/ibm/si/services/dlc/keystore/
DLCのコンフィグファイルを変更します。
[root@dlc rootCA]# vi /opt/ibm/si/services/dlc/conf/config.json
"destination.type": "TLS",
"destination.ip": "QRoCのIPおよびホスト名",
"destination.port": "32500"
"DLCMetricsEventsEnabled": "true" ←trueに変更します
DLCのプロパティファイルの編集をします。
[root@dlc rootCA]# vi /opt/ibm/si/services/dlc/conf/frameworks.properties
以下の内容に変更
trustmanager.checkrevocation=false
trustmanager.checkusage=false
trustmanager.enableOCSP=false
DLC上のroot証明書をPEMに変換します。
[root@dlc rootCA]# openssl req -x509 -config openssl-ca.cnf -key ./rootCA.key -out rootCA.pem -outform PEM
Enter pass phrase for ./rootCA.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [TOKYO]:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Example Ltd]:
Organizational Unit Name (eg, section) [operation]:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
DLC上のPEMファイルをQRadarにコピーします。
xxx.xxx.xxx.xxxはQRadarのIPアドレスです。
[root@dlc rootCA]# scp rootCA.pem root@xxx.xxx.xxx.xxx:/etc/pki/ca-trust/source/anchors/
The authenticity of host 'xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)' can't be established.
ED25519 key fingerprint is SHA256:rqbdY3npC6JUnktRPn+mGHj94ZTyvIHm6zOa0724bWw.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'xxx.xxx.xxx.xxx' (ED25519) to the list of known hosts.
root@xxx.xxx.xxx.xxx's password:
rootCA.pem 100% 1330 2.1MB/s 00:00
DLC上で、ファイルをコピーします。
[root@dlc rootCA]# cp rootCA.pem /etc/pki/ca-trust/source/anchors/
証明書をDLCに認識させます。以下のコマンドをDLC上で実行します。
update-ca-trust
QRadar 側での作業
QRadarにSSHログインします。
ssh root@xxx.xxx.xxx.xxx
コピーしたファイルの存在を確認します。
[root@qradar ~]# ls -la /etc/pki/ca-trust/source/anchors/
total 76
drwxr-xr-x. 2 root root 4096 Feb 15 16:47 .
drwxr-xr-x. 4 root root 80 Jan 18 16:38 ..
-rw-r--r-- 1 root root 7474 Jan 18 08:17 conman_ca.crt
-rw-r--r-- 1 root root 7504 Jan 18 08:18 docker-distribution_ca.crt
-rw-r--r-- 1 root root 1101 Jan 18 08:17 intermediate-qradar-ca_ca.crl
-rw------- 1 root root 7488 Jan 18 08:17 intermediate-qradar-ca_ca.crt
-rw-r--r-- 1 root root 7483 Jan 18 08:18 QRadarSAML_ca.crt
-rw-r--r-- 1 root root 1314 Feb 15 16:07 rootCA.pem
-rw-r--r-- 1 root root 1097 Jan 18 08:17 root-qradar-ca_ca.crl
-rw------- 1 root root 6993 Jan 18 08:17 root-qradar-ca_ca.crt
-rw-r--r-- 1 root root 7474 Jan 18 08:19 si-docker_ca.crt
-rw-r--r-- 1 root root 7475 Jan 18 08:19 traefik_ca.crt
証明書をQRadarに認識させます。以下のコマンドをQRadar上で実行します。
[root@qradar ~]# update-ca-trust
DLC 側での作業
DLC上で、Server CSRを作成します。
[root@dlc rootCA]#/opt/ibm/si/services/dlc/current/script/generateCertificate.sh -servercsr -2k
Enter SAN IP:xxx.xxx.xxx.xxx <-QRadarのIPアドレス
Enter SAN DNS (Optional-Enter for empty value):
Are you sure you do not want to provide SAN DNS? Enter yes or no (y/n)y
Enter Organization Name:example.ltd
Enter Organization Unit Name:operation
Enter Common Name(Should match a listed SAN):xxx.xxx.xxx.xxx <-QRadarのIPアドレス
csrcontent=[ default ]
SAN = IP:xxx.xxx.xxx.xxx <-QRadarのIPアドレス
[ req ]
default_bits = 2048
encrypt_key = no
default_md = sha256
utf8 = yes
string_mask = utf8only
prompt = no
distinguished_name = server_dn
req_extensions = server_reqext
[ server_dn ]
organizationName = example.ltd
organizationalUnitName = operation
commonName =xxx.xxx.xxx.xxx <-QRadarのIPアドレス
[ server_reqext ]
keyUsage = critical,digitalSignature,keyEncipherment
extendedKeyUsage = serverAuth,clientAuth
subjectKeyIdentifier = hash
subjectAltName = $ENV::SAN
.....+.+...+.....+.+...+.....+...+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+..........+..+.......+.....+......+.+...+......+.....+......+......+....+...+.....+.......+...+........+.......+..+.+..+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.........................+..+...+.+......+........+...+....+.........+.....+......+..................+.......+.....+...+..........+......+.....+....+...+.........+.....+....+..+.......+...+...+..+..........+.................+.+.....+.......+....................+...+................+.....+....+............+..+......+.+........+.+...........+...+...+....+...+...............+......+.....................+.....+...+.+......+.........+..+....+......+...+......+...........+.......+........+....+.....+...................+..+............+...+....+.........+......+...+...........+.......+..+.+.....+....+...+.........+.....+.+...+...............+..+....+...........+...+..........+..+....+.....+.+........+............+....+...+.....+...+...+......+.........+.......+............+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.+......+...+..+..........+...+........+...+......+...+.+......+........+................+.........+..+...+.+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.........+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...............+........+.+.....+....+...........+.+......+..+............+...+......+......+.+...+...........+.+.....+.......+..+......+.......+........+....+.....+...+.+......+...............+...........+.............+..+...+......+.+.........+........+...+.......+...+..+.+.....+......+...............+..........+......+............+...........+.......+.................+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
CSR file created: /opt/ibm/si/services/dlc/keystore/a7a4bfb5-5c57-42b1-81af-801695091793/dlc-server.csr
上記で作成された証明書と鍵を/rootCAにコピー
''は前工程で作成される毎回変わる乱数です。この例では、[a7a4bfb5-5c57-42b1-81af-801695091793]になります。
[root@dlc rootCA]# cp /opt/ibm/si/services/dlc/keystore/<UUID>/dlc-server.* /rootCA
証明書の作成
[root@dlc rootCA]# openssl ca -config /rootCA/openssl-ca.cnf -out dlc-server.crt -keyfile /rootCA/rootCA.key -in dlc-server.csr -cert /rootCA/rootCA.crt
Using configuration from /rootCA/openssl-ca.cnf
Enter pass phrase for /rootCA/rootCA.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Feb 16 01:44:51 2024 GMT
Not After : Feb 13 01:44:51 2034 GMT
Subject:
organizationName = example.ltd
organizationalUnitName = operation
commonName = xxx.xxx.xxx.xxx
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Agreement
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Subject Key Identifier:
A0:70:FB:64:15:BA:98:0F:09:D8:FB:C8:91:18:9A:2F:22:32:D8:6E
X509v3 Authority Key Identifier:
C0:70:5B:61:B6:79:A7:AE:8F:67:B1:2E:B5:1E:EF:8C:90:B3:EB:B3
Certificate is to be certified until Feb 13 01:44:51 2034 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
ファイル変換
[root@dlc rootCA]# openssl pkcs12 -export -out dlc-server.pfx -inkey dlc-server.key -in dlc-server.crt
Enter Export Password:
Verifying - Enter Export Password:
上記入力した内容をログソースのpfxファイルのパスワードに設定します。
dlc-server.pfxをQRadarにコピーします。
[root@dlc rootCA]# scp dlc-server.pfx root@xxx.xxx.xxx.xxx:/opt/qradar/conf/key_stores
root@xxx.xxx.xxx.xxx's password:
dlc-server.pfx 100% 2659 7.4MB/s 00:00
QRadar 側での作業
QRadarにSSHログインします。
ssh root@xxx.xxx.xxx.xxx
QRadarでサービスの再起動をします。(以下のサービス再起動によりログ取得が瞬断します。)
[root@qradar ~]# systemctl restart ecs-ec-ingress
QRadar上でDLCのログソース作成
※ログソースは一度作成して後から微修正しても変更が有効になりません。Deployを伴う変更がある場合に有効になります。つまり作成したログソースを変更する場合には消して作り直しが必要です。
WebUIの管理->ログ・ソースと順番にクリックします。
Disconnected Log Collectorsをクリックします。
Nameには任意の文字列をいれてRegisterボタンをクリックします。
正常性の確認
dlcサービスを再起動します。
[root@dlc~]# systemctl restart dlc
loadedでrunningになっていることを確認します。
[root@dlc~]# systemctl status dlc
● dlc.service - Disconnected log collector
Loaded: loaded (/usr/lib/systemd/system/dlc.service; enabled; preset: disabled)
Active: active (running) since Fri 2024-02-16 11:23:29 JST; 3s ago
Process: 1644 ExecStartPre=/opt/ibm/si/services/dlc/current/systemd/bin/generate_environment.sh ${SERVICENAME} ${SERVICEPATH} (code=exited, status=0/SUCCESS)
Main PID: 1680 (java)
Tasks: 110 (limit: 61740)
Memory: 341.1M
CPU: 5.619s
CGroup: /system.slice/dlc.service
└─1680 /opt/ibm/java-x86_64-80/bin/java -Dapplication.name=dlc -Dapp_id=dlc -Djava.library.path= -Dapplication.baseURL=file:///opt/ibm/si/services/dlc/conf/ -Dmks.base=/opt/ibm/si/services/dlc/MKS/>
Feb 16 11:23:29 xxxxxxxxxxxxxxxxxxxxxxx [1]: Starting Disconnected log collector...
Feb 16 11:23:29 xxxxxxxxxxxxxxxxxxxxxxx[1]: Started Disconnected log collector.
ログ・ソースの中で以下のようにIBM DLC Metricsが自動生成されることを確認します。
DLCのバージョンアップ
1.8.4から1.8.5にバージョンアップを行う
[root@dlc ~]# rpm -qa | grep dlc
dlc-service-1.8.4-1.noarch
[root@dlc ~]# tar -zxvf dlc-service-install-1.8.5-1.tgz
install.py
uninstall.py
install.sh
uninstall.sh
updateConnectors.sh
dlc-service-rpms-1.8.5-1.tgz
[root@pps0309 ~]# ./install.sh
Current RPM version: v1.8.4
A DLC RPM found: dlc-service-rpms-1.8.5-1.tgz
Version:dlc-service-rpms-1.8.5-1.tgz
The DLC package version (1.8.5) is different with installed one (1.8.4).
Do you like to update DLC [y/N]: y
## Start to update DLC ##
Installing DLC. Log is in /var/log/dlc/dlc.install
Last metadata expiration check: 2:30:14 ago on Fri 12 Apr 2024 01:06:40 PM JST.
Dependencies resolved.
=============================================================================================================================================================================================================================================
Package Architecture Version Repository Size
=============================================================================================================================================================================================================================================
Upgrading:
dlc-service noarch 1.8.5-1 @commandline 210 M
Transaction Summary
=============================================================================================================================================================================================================================================
Upgrade 1 Package
Total size: 210 M
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Running scriptlet: dlc-service-1.8.5-1.noarch 1/1
Preparing : 1/1
Running scriptlet: dlc-service-1.8.5-1.noarch 1/2
Upgrading : dlc-service-1.8.5-1.noarch 1/2
Running scriptlet: dlc-service-1.8.5-1.noarch 1/2
The DLC Instance ID: a7a4bfb5-5c57-42b1-81af-801695091793
Generating ...
OK: Already generated
Running scriptlet: dlc-service-1.8.4-1.noarch 2/2
Warning: The unit file, source configuration file or drop-ins of dlc.service changed on disk. Run 'systemctl daemon-reload' to reload units.
Removing /usr/bin/xml
Cleanup : dlc-service-1.8.4-1.noarch 2/2
Running scriptlet: dlc-service-1.8.4-1.noarch 2/2
Running scriptlet: dlc-service-1.8.5-1.noarch 2/2
/opt/ibm/si/services/dlc/1.8.5/script/rpm/upgrade/1.8.5.sh
redhat_release: CentOS Stream release 9
/opt/ibm/si/services/dlc/1.8.5/script/rpm/run-newversion-instance.sh: line 221: checkmodule: command not found
semodule_package: Could not open file my-systemd.mod: No such file or directory
libsemanage.map_compressed_file: Unable to open my-systemd.pp
(No such file or directory).
libsemanage.semanage_direct_install_file: Unable to read file my-systemd.pp
(No such file or directory).
semodule: Failed on my-systemd.pp!
Cleaning up
DLC verion:1.8.5 is installed and running as a service
Disconnected Log Collector uses incoming and outgoing ports that must be open in the firewalld service daemon. See the Disconnected Log Collector Guide for information about port usage.
Running scriptlet: dlc-service-1.8.4-1.noarch 2/2
Verifying : dlc-service-1.8.5-1.noarch 1/2
Verifying : dlc-service-1.8.4-1.noarch 2/2
Upgraded:
dlc-service-1.8.5-1.noarch
Complete!
Installing CONNECTOR-AkamaiKonaRESTAPI-1.0.0-20240215162146.noarch.rpm. (1 of 26)
Installing CONNECTOR-AmazonWebServices-1.0.0-20240215162146.noarch.rpm. (2 of 26)
Installing CONNECTOR-ApacheKafka-1.0.0-20240313140845.noarch.rpm. (3 of 26)
Installing CONNECTOR-BlueCoatWSSRESTAPI-1.0.0-20240215162146.noarch.rpm. (4 of 26)
Installing CONNECTOR-BoxRESTAPI-1.0.0-20240313140845.noarch.rpm. (5 of 26)
Installing CONNECTOR-CentrifyRedrockRESTAPI-1.0.0-20240313140845.noarch.rpm. (6 of 26)
Installing CONNECTOR-Common-1.0.0-20240215162146.noarch.rpm. (7 of 26)
Installing CONNECTOR-FlowCommon-1.0.0-20240215162146.noarch.rpm. (8 of 26)
Installing CONNECTOR-GoogleCommon-1.0.0-20240215162146.noarch.rpm. (9 of 26)
Installing CONNECTOR-GoogleGSuiteActivityReportsRESTAPI-1.0.0-20240215162146.noarch.rpm. (10 of 26)
Installing CONNECTOR-IBMSIMJDBC-1.0.0-20240215162146.noarch.rpm. (11 of 26)
Installing CONNECTOR-JDBC-1.0.0-20240215162146.noarch.rpm. (12 of 26)
Installing CONNECTOR-LogFileProtocol-1.0.0-20240215162146.noarch.rpm. (13 of 26)
Installing CONNECTOR-MicrosoftAzureEventHubs-1.0.0-20240313140845.noarch.rpm. (14 of 26)
Installing CONNECTOR-MicrosoftGraphSecurityAPI-1.0.0-20240215162146.noarch.rpm. (15 of 26)
Installing CONNECTOR-ObserveITJdbc-1.0.0-20240215162146.noarch.rpm. (16 of 26)
Installing CONNECTOR-Office365MessageTraceRESTAPI-1.0.0-20240215162146.noarch.rpm. (17 of 26)
Installing CONNECTOR-Office365RESTAPI-1.0.0-20240215162146.noarch.rpm. (18 of 26)
Installing CONNECTOR-SmbTailProtocol-1.0.0-20240215162146.noarch.rpm. (19 of 26)
Installing CONNECTOR-SyslogRedirect-1.0.0-20240215162146.noarch.rpm. (20 of 26)
Installing CONNECTOR-TCPMultilineSyslog-1.0.0-20240313140845.noarch.rpm. (21 of 26)
Installing CONNECTOR-TLSSyslog-1.0.0-20240215162146.noarch.rpm. (22 of 26)
Installing CONNECTOR-UDPMultilineSyslog-1.0.0-20240215162146.noarch.rpm. (23 of 26)
Installing CONNECTOR-UniversalCloudRESTAPI-1.0.0-20240215162146.noarch.rpm. (24 of 26)
Installing CONNECTOR-WindowsDHCPProtocol-1.0.0-20240215162146.noarch.rpm. (25 of 26)
Installing CONNECTOR-WindowsExchangeProtocol-1.0.0-20240215162146.noarch.rpm. (26 of 26)
Installation completed.
[root@pps0309 ~]#
[root@dlc ~]# rpm -qa | grep dlc
dlc-service-1.8.5-1.noarch
[root@dlc ~]# systemctl restart dlc
[root@dlc ~]# systemctl status dlc
● dlc.service - Disconnected log collector
Loaded: loaded (/usr/lib/systemd/system/dlc.service; enabled; preset: disabled)
Active: active (running) since Fri 2024-04-12 15:38:29 JST; 4s ago
Process: 543562 ExecStartPre=/opt/ibm/si/services/dlc/current/systemd/bin/generate_environment.sh ${SERVICENAME} ${SERVICEPATH} (code=exited, status=0/SUCCESS)
Main PID: 543599 (java)
Tasks: 110 (limit: 61740)
Memory: 409.6M
CPU: 7.225s
CGroup: /system.slice/dlc.service
└─543599 /opt/ibm/java-x86_64-80/bin/java -Dapplication.name=dlc -Dapp_id=dlc -Djava.library.path= -Dapplication.baseURL=file:///opt/ibm/si/services/dlc/conf/ -Dmks.base=/opt/ibm/si/services/dlc/MKS/conf -Dtrustmanager.trus>
Apr 12 15:38:29 xxxx.com systemd[1]: Starting Disconnected log collector...
Apr 12 15:38:29 xxxx..com systemd[1]: Started Disconnected log collector.
[root@dlc ~]#
Proxy利用
バージョン1.8.5 からproxyが利用可能となる
DLC->QRadar通信を代わりにproxyが行う
squid.confの設定
以下のハイライトされた行を追加
# more /etc/squid/squid.conf
#
# Recommended minimum configuration:
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl localhost src {自身のNW}/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
+ acl SSL_ports port 32500
+ acl Safe_ports port 32500
#access_log syslog:local0.info combined
access_log syslog:local0.info
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128
+ http_port 32500
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
サービス再起動
systemctl restart squid
/opt/ibm/si/services/dlc/conf/dlc.confの設定
ハイライトされた部分(proxy)がバージョン1.8.5から追加されている
{
"Destination": {
"destination.type": "TLS",
"destination.ip": "{QRadarのIPアドレス}",
"destination.port": "32500"
},
"TLS": {
"tls.keystorefilepath": "\/opt\/ibm\/si\/services\/dlc\/keystore\/dlc-client.pfx",
"tls.keystorepassword": "AQAAAAAAAAABx5FsHwNuOLJBZLLnHfOpiGFRp2I4OiTt+STloi2BnKijkGRo",
"tls.keystoreexpirywindow": "14",
"tls.version": "TLSv1.2"
},
+ "Proxy": {
+
+ "proxy.description":"Only applicable to destination types TLS, not applicable to destination.type: Kafka and UDP",
+ "proxy.enabled":"true",
+ "proxy.ip":"{ProxyのIPアドレス}",
+ "proxy.port":"32500",
+ "proxy.username":"",
+ "proxy.password":""
+ },
"EPS": 5000,
"DLCMetricsEventsEnabled": "true",
"TOPIC": "",
"ManagementServiceConsumerTOPIC": "",
"ManagementServiceProducerTOPIC": ""
}
サービス再起動
systemctl restart dlc
設定後の確認ポイント
- DLCでnetstat -an コマンドを使い、port 32500でsquidとESTABLISHEDになっているか
- squidでnetstat -an コマンドを使い、port 32500でQRadarとESTABLISHEDになっているか
- DLCの/var/log/dlc/dlc.errorに通信関連のエラーがないか
- QRadarにdlcのmetricログが来ているか
- QRadarにdlc経由のセキュリティデバイスログが来ているか