b fips siem inst

8/9/2019 b FIPS Siem Inst

1/39

IBM Security QRadar Version 7.2.4

FIPS 140-2 Installation Guide


2/39

NoteBefore using this information and the product that it supports, read the information in “Notices” on page 29.

Product information

This document applies to IBM QRadar Security Intelligence Platform V7.2.4 and subsequent releases unlesssuperseded by an updated version of this document.

© Copyright IBM Corporation 2013, 2014.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.


3/39

ContentsIntroduction to QRadar FIPS installations . . . . . . . . . . . . . . . . . . . . . v

Chapter 1. QRadar deployment overview . . . . . . . . . . . . . . . . . . . . . 1FIPS overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Appliance restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Activation keys and license keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Integrated Management Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2QRadar components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Prerequisite hardware accessories and desktop software for QRadar installations . . . . . . . . . . . . 4Physical security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Supported web browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Enabling document mode and browser mode in Internet Explorer . . . . . . . . . . . . . . . . 6USB flash drive installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Creating a bootable USB flash drive with a QRadar appliance . . . . . . . . . . . . . . . . . . 7Creating a bootable USB flash drive with Microsoft Windows . . . . . . . . . . . . . . . . . . 8Creating a bootable USB flash drive with Red Hat Linux . . . . . . . . . . . . . . . . . . . 9Configuring a USB flash drive for serial-only appliances . . . . . . . . . . . . . . . . . . . 1 0Installing QRadar with a USB flash drive . . . . . . . . . . . . . . . . . . . . . . . . 10

Upgrading your FIPS-compliant appliance to QRadar 7.2.4 . . . . . . . . . . . . . . . . . . . 1 1

Chapter 2. Installing a QRadar Console or managed host . . . . . . . . . . . . . . 13Enabling FIPS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Disabling automatic updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Chapter 3. FIPS shell commands . . . . . . . . . . . . . . . . . . . . . . . . 17Using crypto account shell commands . . . . . . . . . . . . . . . . . . . . . . . . . . 17Using admin account shell commands . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Chapter 4. FIPS use cases . . . . . . . . . . . . . . . . . . . . . . . . . . . 21FIPS self-check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Disabling FIPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Restarting a service when FIPS is enabled . . . . . . . . . . . . . . . . . . . . . . . . . 21Editing a configuration file with FIPS enabled . . . . . . . . . . . . . . . . . . . . . . . . 22Adding a managed host to a FIPS deployment . . . . . . . . . . . . . . . . . . . . . . . 2 2

Chapter 5. Network settings management . . . . . . . . . . . . . . . . . . . . . 25Changing the network settings in an all-in-one system . . . . . . . . . . . . . . . . . . . . . 2 5Changing the network settings of a QRadar Console in a multi-system deployment . . . . . . . . . . . 2 6Updating network settings after a NIC replacement . . . . . . . . . . . . . . . . . . . . . . 2 7

Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Privacy policy considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

© Copyright IBM Corp. 2013, 2014 iii


4/39


5/39

Introduction to QRadar FIPS installations

The IBM® Security QRadar ® FIPS Installation Guide provides you with informationabout installing and enabling FIPS mode on QRadar systems.

For information about IBM security products that are FIPS certified, see the IBMSecurity FIPS 140 Security Policy documents. Find these documents on theNational Institute of Standards and Technology (NIST) web site, in the ModuleValidation Lists section: NIST (http://csrc.nist.gov/groups/STM/cmvp/index.html).

To install or recover a high-availability (HA) system, see the IBM Security QRadar High Availability Guide.

Intended audience

This guide is intended for cryptographic operations users or administrators whoare responsible for installing, maintaining, and configuring FIPS enabled QRadarsystems. When you enable FIPS mode, you create an admin user role for generalsecurity services and crypto user role for cryptographic operations.

Technical documentation

To find IBM Security QRadar product documentation on the web, including alltranslated documentation, access the IBM Knowledge Center (http://www.ibm.com/support/knowledgecenter/SS42VS/welcome).

For information about how to access more technical documentation in the QRadarproducts library, see Accessing IBM Security Documentation Technical Note

(www.ibm.com/support/docview.wss?rs=0&uid=swg21614644).Contacting customer support

For information about contacting customer support, see the Support andDownload Technical Note (http://www.ibm.com/support/docview.wss?uid=swg21616144).

Statement of good security practices

IT system security involves protecting systems and information throughprevention, detection and response to improper access from within and outsideyour enterprise. Improper access can result in information being altered, destroyed,

misappropriated or misused or can result in damage to or misuse of your systems,including for use in attacks on others. No IT system or product should beconsidered completely secure and no single product, service or security measurecan be completely effective in preventing improper use or access. IBM systems,products and services are designed to be part of a lawful comprehensive securityapproach, which will necessarily involve additional operational procedures, andmay require other systems, products or services to be most effective. IBM DOESNOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES AREIMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THEMALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

© Copyright IBM Corp. 2013, 2014 v

http://csrc.nist.gov/groups/STM/cmvp/index.htmlhttp://www.ibm.com/support/knowledgecenter/SS42VS/welcomehttp://www.ibm.com/support/docview.wss?rs=0&uid=swg21614644http://www.ibm.com/support/docview.wss?uid=swg21616144http://www.ibm.com/support/docview.wss?uid=swg21616144http://www.ibm.com/support/docview.wss?uid=swg21616144http://www.ibm.com/support/docview.wss?uid=swg21616144http://www.ibm.com/support/docview.wss?rs=0&uid=swg21614644http://www.ibm.com/support/knowledgecenter/SS42VS/welcomehttp://csrc.nist.gov/groups/STM/cmvp/index.html


6/39

Please Note:

Use of this Program may implicate various laws or regulations. including thoserelated to privacy, data protection, employment, and electronic communicationsand storage. IBM Security QRadar may be used only for lawful purposes and in alawful manner. Customer agrees to use this Program pursuant to, and assumes allresponsibility for complying with, applicable laws, regulations and policies.Licensee represents that it will obtain or has obtained any consents, permissions, orlicenses required to enable its lawful use of IBM Security QRadar.

vi IBM Security QRadar: FIPS 140-2 Installation Guide


7/39

Chapter 1. QRadar deployment overview

You can install IBM Security QRadar on a single server for small enterprises, oracross multiple servers for large enterprise environments.

FIPS overviewIBM Security QRadar uses the FIPS 140-2 approved cryptographic provider(s) forcryptography. The approved Cryptographic Security Kernel is Q1 Labs or Q1 Labs,an IBM Company, or IBM Corp.

The certificates are listed on the : NIST website (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2012.htm).

Follow these guidelines for your QRadar FIPS appliance:v Use firmware that is FIPS certified.v You must enable FIPS mode after your initial appliance installation and

configuration.v You must enable FIPS mode on any appliance that you restore to factory default

(unconfigured) settings.

Appliance restrictionsSome restrictions apply to IBM Security QRadar FIPS appliances.

These restrictions apply to your QRadar FIPS appliance:v You cannot use SSH by using the root user account to log in to an appliance that

has FIPS mode enabled. Only the crypto user account or admin user accounts

can use SSH to log in a FIPS enabled QRadar appliance.v You cannot install this appliance as a virtual machine (VM)v You cannot install software fixes on QRadar appliances, unless the update is

FIPS certified.v You cannot disable FIPS mode in QRadar by using your browser. The crypto

user account is the only role that has permissions to disable FIPS mode.v Do not select MD5 or DES when you configure SNMP responses because these

options are not FIPS-compliant. If these options are chosen when the applianceis in FIPS mode, the appliance does not execute the response. An error messagethat states that the response is invalid is created in the system log.

v High-availability (HA) is not supported on FIPS appliances.

Activation keys and license keysWhen you install IBM Security QRadar appliances, you must type an activationkey. After you install, you must apply your license keys. To avoid typing thewrong key in the installation process, it is important to understand the difference between the keys.

Activation keyThe activation key is a 24-digit, 4-part, alphanumeric string that youreceive from IBM. All installations of QRadar products use the samesoftware. However, the activation key specifies which software modules to

© Copyright IBM Corp. 2013, 2014 1

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2012.htmhttp://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2012.htm


8/39

apply for each appliance type. For example, use the IBM Security QRadarQFlow Collector activation key to install only the QRadar QFlow Collectormodules.

You can obtain the activation key from the following locations:v If you purchased an appliance that is pre-installed with QRadar

software, the activation key is included in a document on the enclosed

CD.v If you purchased QRadar software or virtual appliance download, a list

of activation keys is included in the Getting Started document. TheGetting Started is attached to the confirmation email.

License keyYour system includes a temporary license key that provides you withaccess to QRadar software for five weeks. After you install the softwareand before the default license key expires, you must add your purchasedlicenses.

The following table describes the restrictions for the default license key:

Table 1. Restrictions for the default license key for QRadar SIEM installations

Usage Limit

Active log source limit 750

Events per second threshold 5000

Flows per interval 200000

User limit 10

Network object limit 300

Table 2. Restrictions for the default license key for QRadar Log Manager installations

Usage Limit

Active log source limit 750

Events per second threshold 5000

User limit 10

Network object limit 300

When you purchase a QRadar product, an email that contains yourpermanent license key is sent from IBM. These license keys extend thecapabilities of your appliance type and define your system operatingparameters. You must apply your license keys before your default licenseexpires.

Related tasks :Chapter 2, “Installing a QRadar Console or managed host,” on page 13Install IBM Security QRadar Console or a managed host on the QRadar applianceor on your own appliance.

Integrated Management ModuleUse Integrated Management Module, which is on the back panel of each appliancetype, to manage the serial and Ethernet connectors.

2 IBM Security QRadar: FIPS 140-2 Installation Guide


9/39

You can configure Integrated Management Module to share an Ethernet port withthe IBM Security QRadar product management interface. However, to reduce therisk of losing the connection when the appliance is restarted, configure IntegratedManagement Module in dedicated mode.

To configure Integrated Management Module, you must access the system BIOSsettings by pressing F1 when the IBM splash screen is displayed. For moreinformation about configuring Integrated Management Module, see the Integrated Management Module User's Guide on the CD that is shipped with your appliance.Related concepts :“Prerequisite hardware accessories and desktop software for QRadar installations”on page 4Before you install IBM Security QRadar products, ensure that you have access tothe required hardware accessories and desktop software.

QRadar componentsIBM Security QRadar consolidates event data from log sources that are used bydevices and applications in your network.

Important: Software versions for all IBM Security QRadar appliances in adeployment must be same version and fix level. Deployments that use differentversions of software are not supported.

QRadar deployments can include the following components:

QRadar QFlow CollectorPassively collects traffic flows from your network through span ports ornetwork taps. The IBM Security QRadar QFlow Collector also supports thecollection of external flow-based data sources, such as NetFlow.

You can install a QRadar QFlow Collector on your own hardware or useone of the QRadar QFlow Collector appliances.

Restriction: The component is available only for QRadar SIEMdeployments.

QRadar ConsoleProvides the QRadar product user interface. The interface deliversreal-time event and flow views, reports, offenses, asset information, andadministrative functions.

In distributed QRadar deployments, use the QRadar Console to managehosts that include other components.

MagistrateA service running on the QRadar Console, the Magistrate provides the core

processing components. You can add one Magistrate component for eachdeployment. The Magistrate provides views, reports, alerts, and analysis of network traffic and security events.

The Magistrate component processes events against the custom rules. If anevent matches a rule, the Magistrate component generates the responsethat is configured in the custom rule.

For example, the custom rule might indicate that when an event matchesthe rule, an offense is created. If there is no match to a custom rule, theMagistrate component uses default rules to process the event. An offense isan alert that is processed by using multiple inputs, individual events, and

Chapter 1. QRadar deployment overview 3


10/39

events that are combined with analyzed behavior and vulnerabilities. TheMagistrate component prioritizes the offenses and assigns a magnitudevalue that is based on several factors, including number of events, severity,relevance, and credibility.

QRadar Event CollectorGathers events from local and remote log sources. Normalizes raw log

source events. During this process, the Magistrate component examines theevent from the log source and maps the event to a QRadar Identifier(QID). Then, the Event Collector bundles identical events to conservesystem usage and sends the information to the Event Processor.

QRadar Event ProcessorProcesses events that are collected from one or more Event Collectorcomponents. The Event Processor correlates the information from QRadarproducts and distributes the information to the appropriate area,depending on the type of event.

The Event Processor also includes information that is gathered by QRadarproducts to indicate behavioral changes or policy violations for the event.When complete, the Event Processor sends the events to the Magistrate

component.

For more information about each component, see the Administration Guide.

Prerequisite hardware accessories and desktop software for QRadarinstallations

Before you install IBM Security QRadar products, ensure that you have access tothe required hardware accessories and desktop software.

Hardware accessories

Ensure that you have access to the following hardware components:v Monitor and keyboard, or a serial consolev Uninterrupted Power Supply (UPS) for all systems that store data, such as

QRadar Console, Event Processor components, or QRadar QFlow Collectorcomponents

v Null modem cable if you want to connect the system to a serial console

Important: QRadar products support hardware-based Redundant Array of Independent Disks (RAID) implementations, but do not support software-basedRAID installations.

Desktop software requirements

Ensure that following applications are installed on all desktop systems that youuse to access the QRadar product user interface:v Java™ Runtime Environment (JRE) version 1.7 or IBM 64-bit Runtime

Environment for Java V7.0v Adobe Flash version 10.xRelated tasks :Chapter 2, “Installing a QRadar Console or managed host,” on page 13Install IBM Security QRadar Console or a managed host on the QRadar applianceor on your own appliance.



11/39

Physical securityLabels are required for FIPS physical security and must be installed before youplace the appliance in the server rack.

If your appliance did not include labels for FIPS physical security or did notcontain a sufficient number of labels, you must contact your sales representative toreceive additional labels.

Two sets of tamper-proof labels are included with your IBM Security QRadar FIPSappliance for a total of forty (40) tamper-proof labels. These labels are numberedwith a 7-digit code for your appliance.

Important: Ensure the location is free of dust or debris before installing atamper-proof label.

Attach the tamper-proof labels firmly in the locations illustrated in the followinggraphic:

Supported web browsersFor the features in IBM Security QRadar products to work properly, you must usea supported web browser.

When you access the QRadar system, you are prompted for a user name and apassword. The user name and password must be configured in advance by theadministrator.

The following table lists the supported versions of web browsers.

Table 3. Supported web browsers for QRadar products

Web browser Supported versions

Mozilla Firefox 17.0 Extended Support Release

24.0 Extended Support Release

Figure 1. Tamper-proof label locations



12/39

Table 3. Supported web browsers for QRadar products (continued)

Web browser Supported versions

32-bit Microsoft Internet Explorer, withdocument mode and browser mode enabled

9.0

10.0

Google Chrome The current version as of the release date of

IBM Security QRadar V7.2.4 products

Enabling document mode and browser mode in InternetExplorer

If you use Microsoft Internet Explorer to access IBM Security QRadar products,you must enable browser mode and document mode.

Procedure1. In your Internet Explorer web browser, press F12 to open the Developer Tools

window.2. Click Browser Mode and select the version of your web browser.3. Click Document Mode .

v For Internet Explorer V9.0, select Internet Explorer 9 standards .v For Internet Explorer V10.0, select Internet Explorer 10 standards .

Related concepts :“Prerequisite hardware accessories and desktop software for QRadar installations”on page 4Before you install IBM Security QRadar products, ensure that you have access tothe required hardware accessories and desktop software.

USB flash drive installations

You can install IBM Security QRadar software with a USB flash drive.

USB flash drive installations are full product installations. You cannot use a USBflash drive upgrade or to apply product patches. For information about applyingfix packs, see the fix pack Release Notes.

Supported versions

The following appliances or operating systems can be used to create a bootableUSB flash drive:v A QRadar v7.2.1 appliance or laterv A Linux system that is installed with Red Hat Enterprise Linux 6.4v

Microsoft Windows Vistav Microsoft Windows 7v Microsoft Windows 2008v Microsoft Windows 2008R2

Installation overview

Follow this procedure to install QRadar software from a USB flash drive:1. Create the bootable USB flash drive.2. Install the software for your QRadar appliance.



13/39

3. Install any product maintenance releases or fix packs.See the Release Notes for installation instructions for fix packs and maintenancereleases.

Creating a bootable USB flash drive with a QRadar applianceYou can use an IBM Security QRadar V7.2.1 or later appliance to create a bootable

USB flash drive that can be used to install QRadar software.

Before you begin

Before you can create a bootable USB flash drive from a QRadar appliance, youmust have access to the following items:v A 8 GB USB flash drivev A QRadar V7.2.1 or later ISO image filev A physical QRadar appliance

If your QRadar appliance does not have Internet connectivity, you can downloadthe QRadar ISO image file to a desktop computer or another QRadar appliance

with Internet access. You can then copy the ISO file to the QRadar appliance whereyou install the software.

When you create a bootable USB flash drive, the contents of the flash drive aredeleted.

Procedure1. Download the QRadar ISO image file.

a. Access the IBM Support website (www.ibm.com/support).b. Locate the IBM Security QRadar ISO file that matches the version of the

QRadar appliance.c. Copy the ISO image file to a /tmp directory on your QRadar appliance.

2. Using SSH, log in to your QRadar system as the root user.3. Insert the USB flash drive in the USB port on your QRadar system.

It might take up to 30 seconds for the system to recognize the USB flash drive.4. Type the following command to mount the ISO image:

mount -o loop /tmp/ .iso /media/cdrom5. Type the following commend to copy the USB creation script from the

mounted ISO to the /tmp directory.cp /media/cdrom/post/create-usb-key.py /tmp/

6. Type the following command to start the USB creation script:/tmp/create-usb-key.py

7. Press

Enter.8. Press 1 and type the path to the ISO file. For example,

/tmp/ .iso9. Press 2 and select the drive that contains your USB flash drive.

10. Press 3 to create your USB key.The process of writing the ISO image to your USB flash drive takes severalminutes to complete. When the ISO is loaded onto the USB flash drive, aconfirmation message is displayed.

11. Press q to quit the USB key script.12. Remove the USB flash drive from your QRadar system.


http://www.ibm.com/supporthttp://www.ibm.com/support


14/39

13. To free up space, remove the ISO image file from the /tmp file system.

What to do next

If your connection to the appliance is a serial connection, see Configuring a flashdrive for serial only appliances.

If your connection to the appliance is keyboard and mouse (VGA), see InstallingQRadar with a USB flash drive.

Creating a bootable USB flash drive with Microsoft WindowsYou can use a Microsoft Windows desktop or notebook system to create a bootableUSB flash drive that can be used to install QRadar software.

Before you begin

Before you can create a bootable USB flash drive with a Microsoft Windowssystem, you must have access to the following items:v A 8 GB USB flash drivev A desktop or notebook system with one the following operating systems:

– Windows 7– Windows Vista– Windows 2008– Windows 2008R2

You must download the following files from the IBM Support website(www.ibm.com/support).v QRadar V7.2.1 or later Red Hat 64-bit ISO image filev Create-USB-Install-Key (CUIK) tool.

You must download the following files from the Internet.v PeaZip Portable 4.8.1v SYSLINUX 4.06

Tip: Search the web for Peazip Portal v4.8.1 and Syslinux to find the downloadfiles.


Procedure1. Extract the Create-USB-Install-Key (CUIK) tool to the c:\cuik directory.2. Copy the .zip files for PeaZip Portable 4.8.1 and SYSLINUX 4.06 to the

cuik\deps folder.For example, c:\cuik\deps\peazip_portable-4.8.1.WINDOWS.zip andc:\cuik\deps\syslinux-4.06.zip .You do not need to extract the .zip files. The files need only to be available inthe cuik/deps directory.

3. Insert the USB flash drive into the USB port on your computer.4. Verify that the USB flash drive is listed by drive letter and that it is accessible

in Microsoft Windows.




15/39

5. Right-click on c:\cuik\cuik.exe , select Run as administrator , and press Enter .6. Press 1, select the QRadar ISO file, and click Open .7. Press 2 and select the number that corresponds to the drive letter assigned to

your USB flash drive.8. Press 3 to create the USB flash drive.9. Press Enter to confirm that you are aware that the contents of the USB flash

drive will be deleted.10. Type create to create a bootable USB flash drive from the ISO image. This

process takes several minutes.11. Press Enter , and then type q to exit the Create_USB_Install_Key tool.12. Safely eject the USB flash drive from your computer.

What to do next



Creating a bootable USB flash drive with Red Hat LinuxYou can use a Linux desktop or notebook system with Red Hat v6.3 to create a bootable USB flash drive that can be used to install IBM Security QRadar software.

Before you begin

Before you can create a bootable USB flash drive with a Linux system, you musthave access to the following items:v A 8 GB USB flash drivev A QRadar V7.2.1 or later ISO image filev A Linux system that has the following software installed:

– Red Hat 6.4– Python 6.2 or later


Procedure1. Download the QRadar ISO image file.

a. Access the IBM Support website (www.ibm.com/support).b. Locate the IBM Security QRadar ISO file.c. Copy the ISO image file to a /tmp directory on your QRadar appliance.

2. Update your Linux- based system to include these packages.v syslinuxv mtoolsv dosfstoolsv partedFor information about the specific package manager for your Linux system,see the vendor documentation.

3. Log in to your system as the root user.




16/39

4. Insert the USB flash drive in the front USB port on your system.It might take up to 30 seconds for the system to recognize the USB flash drive.

5. Type the following command to mount the ISO image:mount -o loop /tmp/ .iso /media/cdrom

6. Type the following command to copy the USB creation script from themounted ISO to the /tmp directory.cp /media/cdrom/post/create-usb-key.py /tmp/

7. Type the following command to start the USB creation script:/tmp/create-usb-key.py

8. Press Enter.9. Press 1 and type the path to the ISO file. For example,

/tmp/Rhe664QRadar7_2_4_ .iso10. Press 2 and select the drive that contains your USB flash drive.11. Press 3 to create your USB key.

The process of writing the ISO image to your USB flash drive takes severalminutes to complete. When the ISO is loaded onto the USB flash drive, aconfirmation message is displayed.

12. Press q to quit the USB key script.13. Remove the USB flash drive from your system.

What to do next



Configuring a USB flash drive for serial-only appliancesYou must complete an extra configuration step before you can use the bootableUSB flash drive to install QRadar software on serial-only appliances.

About this task

This procedure is not required if you have a keyboard and mouse that is connectedto your appliance.

Procedure1. Insert the bootable USB flash drive into the USB port of your appliance.2. On your USB flash drive, locate the syslinux.cfg file.3. Edit the syslinux configuration file to change the default installation from

default linux to default serial .4. Save the changes to the syslinux configuration file.

What to do next

You are now ready to install QRadar with the USB flash drive.

Installing QRadar with a USB flash driveFollow this procedure to install QRadar from a bootable USB flash drive.



17/39

Before you begin

You must create the bootable USB flash drive before you can use it to installQRadar software.

About this task

This procedure provides general guidance on how to use a bootable USB flashdrive to install QRadar software.

The complete installation process is documented in the product Installation Guide.

Procedure1. Install all necessary hardware.2. Choose one of the following options:

v Connect a notebook to the serial port at the back of the appliance.v Connect a keyboard and monitor to their respective ports.

3. Insert the bootable USB flash drive into the USB port of your appliance.

4. Restart the appliance.Most appliances can boot from a USB flash drive by default. If you areinstalling QRadar software on your own hardware, you might have to set thedevice boot order to prioritize USB.After the appliance starts, the USB flash drive prepares the appliance forinstallation. This process can take up to an hour to complete.

5. When the Red Hat Enterprise Linux menu is displayed, select one of thefollowing options:v If you connected a keyboard and monitor, select Install or upgrade using

VGA console .v If you connected a notebook with a serial connection, select Install or

upgrade using Serial console .6. Type SETUP to begin the installation.7. When the login prompt is displayed, type root to log in to the system as the

root user.The user name is case-sensitive.

8. Press Enter and follow the prompts to install QRadar.The complete installation process is documented in the product InstallationGuide.

Upgrading your FIPS-compliant appliance to QRadar 7.2.4Upgrading a FIPS-compliant appliance from a previous release of IBM Security

QRadar to QRadar 7.2.4 to have the latest features.

About this task

See Upgrading your FIPS-compliant appliance to QRadar 7.2.4(https://ibm.com/support/docview.wss?uid=swg27045005).


https://ibm.com/support/docview.wss?uid=swg27045005https://ibm.com/support/docview.wss?uid=swg27045005


18/39



19/39

Chapter 2. Installing a QRadar Console or managed host

Install IBM Security QRadar Console or a managed host on the QRadar applianceor on your own appliance.

Software versions for all IBM Security QRadar appliances in a deployment must besame version and fix level. Deployments that use different versions of software isnot supported.

Before you begin

Ensure that the following requirements are met:v The required hardware is installed.v For QRadar appliances, a notebook is connected to the serial port on the back of

the appliance, or a keyboard and monitor is connected.v You are logged in as the root user.v The activation key is available.

If you use a notebook to connect to the system, you must use a terminal program,such as HyperTerminal. Ensure that you set Connect Using option to theappropriate COM port of the serial connector. Ensure that you also set thefollowing properties:

Table 4. Terminal connection properties

Property Setting

Bits per second 9600

Stop Bits 1

Data bits 8Parity None

Procedure1. If you are using your own appliance, mount the QRadar ISO image

a. Create the /media/cdrom directory by typing the following command:mkdir /media/cdrom

b. Obtain the QRadar software.c. Mount the QRadar ISO image by typing the following command:

mount -o loop /media/cdrom

d. To begin the installation, type the following command:/media/cdrom/setup

2. Accept the End User License Agreement (EULA).

Tip: Press the Spacebar key to advance through the document.If you are installing QRadar on your own appliance, you are prompted tocontinue the installation. This process might take up to several hours.

3. When you are prompted for the activation key, enter the 24-digit, 4-part,alphanumeric string that you received from IBM.



20/39

The letter I and the number 1 (one) are treated the same. The letter O and thenumber 0 (zero) are also treated the same.

4. For the type of setup, select normal .5. Select the IP address type:

v Select Yes to auto-configure QRadar for IPv6.v Select No to configure an IP address manually QRadar for IPv4 or IPv6.

6. In the wizard, enter a fully qualified domain name in the Hostname field.7. In the IP address field, enter a static IP address, or use the assigned IP

address.

Important: If you are configuring this host as a primary host for a highavailability (HA) cluster, and you selected Yes for auto-configure, you mustrecord the automatically-generated IP address. The generated IP address isentered during HA configuration.For more information, see the IBM Security QRadar High Availability Guide.

8. If you do not have an email server, enter localhost in the Email server namefield.

9. Click Finish .10. In the Root password field, create a password that meets the followingcriteria:v Contains at least 5 charactersv Contains no spacesv Can include the following special characters: @, #, ^, and *.

11. Follow the instructions in the installation wizard to complete the installation.The installation process might take several minutes.

12. Apply your license key.a. Log in to QRadar:

https:// IP_Address_QRadarThe default Username is admin. The Password is the password of the rootuser account.

b. Click the login.c. Click the Admin tab.d. In the navigation pane, click System Configuration .e. Click the System and License Management icon.f. From the Display list box, select Licenses , and upload you license key.g. Select the unallocated license and click Allocate System to License .h. From the list of licenses, select and license, and click Allocate License to

System .

Enabling FIPS modeUse the command line interface to enable FIPS mode on your IBM SecurityQRadar appliance.



21/39

About this task

When you enable FIPS mode on a QRadar appliance, command-line interfaceaccess is restricted to the admin role or crypto user accounts. These accounts arecreated when you enable FIPS mode for QRadar. SSH access is restricted to theFIPS admin and crypto user accounts.

You must enable FIPS in the following order for your appliances:1. Managed Hosts2. QRadar Console

Procedure1. Use SSH to log in to QRadar as a root user.2. Enter the following command:

/opt/qradar/fips/setup/fips_setup.py --enableIf any required cryptographic files are missing, the output alerts you to themissing files.

3. Type Yes to enable FIPS mode.4. Enter a password for the crypto user account. The password must meet the

following criteria:contain at least 6 characters.include one special character such as a period, comma, $, !, %, ^, or *.

5. Re-enter the crypto password to confirm.6. Enter a password for the admin user account. The password must meet the

following criteria:contain at least 6 charactersinclude one special character such as a period, comma, $, !, %, ^, or *.

7. Re-enter the admin password to confirm.8. Type reboot to restart your QRadar appliance.

After the appliance restarts services, FIPS mode is enabled.Repeat this process to enable FIPS mode on each additional managed host inyour deployment. The QRadar Console is the final appliance that you enable inFIPS mode.

What to do next

You are now ready to disable automatic updates on your FIPS appliances. Formore information, see “Disabling automatic updates.”

Disabling automatic updatesTo prevent your system from automatically installing software updates, you mustdisable software updates on your IBM Security QRadar Console.

About this task

The FIPS specification requires that you install FIPS-certified and tested software.However, Device Support Modules (DSMs), protocols, and scanner updates areallowed.

Chapter 2. Installing a QRadar Console or managed host 15


22/39

The QRadar Console is responsible for downloading and providing updates tomanaged hosts in your deployment. You need to complete this procedure on onlyyour Console.

Procedure1. Open your web browser.

2. Log in to QRadar:https://< IP address >Username: adminPassword: Where < IP address> is the IP address of the QRadar Console.

3. Click Log in To QRadar .A default license key provides you access to QRadar for five weeks. For moreinformation about updating your license key, see the IBM Security QRadar Administration Guide.

4. Click the Admin tab.5. On the navigation menu, click System Configuration .

6. Click the Auto Update icon.7. On the navigation menu, click Change Settings .8. From the Major Updates list box, select Disable .9. From the Minor Updates list box, select Disable .

10. Click Save .The installation process is complete. You are now ready to use your QRadarappliance with FIPS enabled.



23/39

Chapter 3. FIPS shell commands

You can use SSH to connect to an IBM Security QRadar FIPS appliance as thecrypto or admin user who has special account permissions.

Using crypto account shell commandsYou can use crypto user accounts and the commands that are applied to thisaccount to perform administrative tasks and to maintain FIPS appliances.

About this task

The crypto user account is provided to security officers in your organization. Acrypto user can disable FIPS mode on a IBM Security QRadar appliance.

Crypto user accounts can enable FIPS mode, verify FIPS status on an appliance, or

disable FIPS mode by using shell commands. Crypto users are also allowed all of the commands provided to admin users for QRadar maintenance.

Procedure1. Use SSH to log in to QRadar as the FIPS crypto user.

Username: cryptoPassword: < password >

2. Enter one of the following admin commands:

Table 5. Supported FIPS crypto commands

Command Description

commit Apply any changes made to a system file of

your FIPS enabled system.

The commit command includes thefollowing options:v --list - The list option displays any system

files that have been changed by the cryptouser.

v --changes < file> - Displays a list of differences in the file made by an adminof a FIPS enabled appliance.

v --check - Verifies the list of files that arepermitted for changes.

v --allowed - Displays a list of system files

that are allowed changes by anadministrator of a FIPS enabled appliance.

v --force - Allows an administrator to forcea file change for files on the allowed list.Files not on the allowed file list areskipped.

v --revert - Discards changes made toa specified file.



24/39

Table 5. Supported FIPS crypto commands (continued)

Command Description

deploy Starts a full deploy on a FIPS enabledappliance. This command restarts serviceson your appliance.

Event and flow collection is stopped untilthe deploy process completes.

disable_fips Disables FIPS mode on an appliance. Thisprocess restarts a number of services andrequires a reboot of the appliance.

fips_self_check Displays the status of the operating system,required RPM files, log settings, and FIPSmode in the command line.

get_logs Collects system data for your FIPSappliance.

mod_log4j Modifies log sources by using thecommand-line interface of a FIPS enabledappliance.

reboot Restarts a FIPS enabled appliance.

service

Changes the status of a service on yourQRadar appliance.

For a list of services that can be restarted bythe crypto user, type service --list .

shell Accesses a command-line shell for viewingand editing files.

shutdown Powers off a FIPS enabled appliance.

help Displays the help interface for a specificadmin or crypto FIPS command.

is any crypto user command inthis table.

exit Log out of the crypto user account.

Using admin account shell commandsYou can use the admin user accounts and the shell commands for administrativetasks and maintenance tasks.

About this task

Grant the admin user role only to administrators that maintain and support theFIPS appliances in your organization.

Admin user accounts cannot disable FIPS mode, verify FIPS mode, or enable FIPSmode. Admin users can use a specific set of command line options to maintain aFIPS enabled system.

Procedure1. Use SSH to log in to IBM Security QRadar as the FIPS admin user.2. Enter one of the following admin commands:



25/39

Table 6. Supported FIPS admin commands

Command Description

commit Apply any changes that are made to thesystem files of your FIPS enabled system.

The commit command includes thefollowing options:v --list - Displays any system files that are

changed by the admin user.v changes - Displays a list of

differences in the file made by an adminof a FIPS enabled appliance.

v --check - Verifies the list of files that arepermitted for changes.

v --allowed - Displays a list of system filesthat are allowed changes by anadministrator of a FIPS enabled appliance.

v --force - Forces a file change for files onthe allowed list. Files not on the allowed

file list are skipped.v --revert - Discards changes made

to a specified file.

deploy Starts a full deployment on a FIPS enabledappliance.

get_logs Collects system data for your FIPSappliance.

mod_log4j Modifies log sources by using thecommand-line interface of a FIPS enabledappliance.

reboot Restarts a FIPS enabled appliance.

shell Accesses a command line shell for viewingand editing files.

shutdown Powers off a FIPS enabled appliance.

help Displays a list of commands that areavailable to an admin user.

exit Logs out the admin user account.

Chapter 3. FIPS shell commands 19


26/39



27/39

Chapter 4. FIPS use cases

Common tasks that a crypto, or admin user might be required to perform onFIPS-enabled appliances, such as using the command line to verify enablement,restart a service, and add a managed host.

FIPS self-check You can use the command-line interface to verify whether FIPS is enabled on yourappliance.

Procedure1. Use SSH to log in to IBM Security QRadar as the crypto user.2. Type fips_self_check .

The output displays the status of your FIPS appliance.

Verifying Operating System ... (OK)Verifying installed RPMs: - kernel ... (OK) - dracut-fips ... (OK) -libgcrypt... (OK) - openssl ... (OK) - nss ... (OK) - fipscheck-lib ...(OK)Verifying Ariel Log Hashing Setting ... (OK)FIPS mode: ON

Disabling FIPSYou can use the command-line interface and crypto user account to disable FIPSmode on an IBM Security QRadar appliance.

About this task FIPS mode must be disabled in the following order:1. Managed hosts2. QRadar Console

Procedure1. Use SSH to log in to the QRadar FIPS appliance as a crypto user.2. Enter the following command:

disable_fips3. Type Yes to disable FIPS mode.

4. Type reboot to restart your QRadar appliance.After the appliance restarts services, FIPS mode is disabled. To disable FIPSmode, repeat this process on each additional appliance that is added to theConsole as a managed host.

Restarting a service when FIPS is enabledUse SSH to restart, stop, or start a service when FIPS is enabled with the followinginstructions.



28/39

Procedure1. Use SSH to log in to IBM Security QRadar as the FIPS crypto user.2. Type service --list .3. Type service .

Example: In the following example, the Tomcat server is restarted.

service tomcat restart4. Type exit to log out of the shell command line interface.

Editing a configuration file with FIPS enabledYou can edit the application mapping file to ensure that traffic is appropriatelyclassified in the IBM Security QRadar user interface. Any extra entries that youadd to the mapping file override the default application IDs.

About this task

This use case is intended to show an administrator how to edit a defaultapplication ID when FIPS is enabled.

Procedure1. Use SSH to log in to QRadar as the FIPS admin or crypto user.2. Type shell .3. Enter edit to start editing a system configuration file.

Example: In the following example, the apps.conf is edited.

edit /store/configservices/staging/globalconfig/apps.conf4. Save your changes.

5. Type exit to exit the command shell.6. Type commit --changes to view the changes that are made to your

configuration file.

Example: In the following example, changes to the apps.conf file are viewed.changes /store/configservices/staging/globalconfig/apps.conf

7. Type commit to apply the configuration file changes to your FIPS enabledappliance.The file is updated on your FIPS appliance when you see the followingmessage.Committed changes for /store/configservices/staging/globalconfig/apps.conf \

Adding a managed host to a FIPS deploymentTo add a new managed host to your FIPS deployment, you must disable FIPS inyour deployment, add the managed host, and re-enable FIPS mode.

Procedure1. Log in as the crypto user and disable FIPS mode on all appliances in your

deployment by typing the following command:disable_fips



29/39

You must disable FIPS mode in the following order:v Managed hostsv IBM Security QRadar Console

2. Log in to your QRadar Console user interface as the admin user.3. On the Admin tab, click Deployment Editor .4. From the menu, select Actions > Add a Managed Host .5. Click Next .6. Enter values for the parameters.

If you selected the Host is NATed check box, the Configure NAT Settingspage is displayed. Go to “Adding a managed host to a FIPS deployment” onpage 22. Otherwise, go to “Adding a managed host to a FIPS deployment” onpage 22.

7. To select a NAT network, enter values for the following parameters:v Enter public IP of the server or appliance to add - The managed host uses

the public IP address to communicate with managed hosts in differentnetworks that use NAT.

v Select NATed network - From the list box, select the network that you wantthis managed host to use.

If the managed host is on the same subnet as the Console, select the consoleof the NATed network.If the managed host is not on the same subnet as the Console, select themanaged host of the NATed network.

Note: For information about managing your NATed networks, see the QRadar Administration Guide.

8. Click Next .9. Click Finish .

A system message informs you that the deployment editor is adding the

managed host. When this process is complete, you are returned to the Admintab.10. On the Admin tab menu, click Deploy Changes .11. Use SSH to log in to your QRadar appliances as the crypto user.

a. Type the following command to enable FIPS mode:/opt/qradar/fips/setup/fips_setup.py --enableYou must enable FIPS mode in the following order:v Managed hostsv QRadar Console

b. Enter Yes to enable FIPS mode.c. Type a password for the crypto user account.

The password must contain at least one special character, such as a period,comma, $ ! % ̂ or *.

d. Re-enter the crypto password to confirm.e. Enter a password for the admin user role.

The password must contain at least one special character, such as a period,comma, $ ! % ̂ or *.

f. Re-enter the admin password to confirm.g. Type reboot to restart your QRadar appliance.

Chapter 4. FIPS use cases 23


30/39

After the appliance restarts services, FIPS mode is enabled. Theconfiguration is complete.



31/39

Chapter 5. Network settings management

Use the qchange_netsetup script to change the network settings of your IBMSecurity QRadar system. Configurable network settings include host name, IPaddress, network mask, gateway, DNS addresses, public IP address, and emailserver.

If you must disable FIPS mode, see “Disabling automatic updates” on page 15.

Changing the network settings in an all-in-one systemYou can change the network settings in your all-in-one system. An all-in-onesystem has all IBM Security QRadar components that are installed on one system.

Before you begin

You must have a local connection to your QRadar Console.Procedure1. Log in as the root user.2. Type the following command:

qchange_netsetup3. Follow the instructions in the wizard to complete the configuration.

The following table contains descriptions and notes to help you configure thenetwork settings.

Table 7. Description of network settings for an all-in-one QRadar Console

Network Setting Description

Host name Fully qualified domain name

Secondary DNS server address Optional

Public IP address for networks that useNetwork Address Translation (NAT)

Optional

Used to access the server, usually from adifferent network or the Internet.

Configured by using Network AddressTranslation (NAT) services on your networkor firewall settings on your network. (NATtranslates an IP address in one network to adifferent IP address in another network).

Email server name If you do not have an email server, uselocalhost .

A series of messages are displayed as QRadar processes the requested changes.After the requested changes are processed, the QRadar system is automaticallyshut down and restarted.



32/39

Changing the network settings of a QRadar Console in a multi-systemdeployment

To change the network settings in a multi-system IBM Security QRadardeployment, remove all managed hosts, change the network settings, add themanaged hosts again, and then reassign the component.

Procedure1. To remove managed hosts, log in to QRadar:

https:// IP_Address_QRadarThe Username is admin.a. Click the Admin tab.b. Click the Deployment Editor icon.c. In the Deployment Editor window, click the System View tab.d. For each managed host in your deployment, right-click the managed host

and select Remove host .e. On the Admin tab, click Deploy Changes .

2. To change network settings on the QRadar Console, use SSH to log in toQRadar as the root user.The user name is root .a. Type the following command: qchange_netsetup.b. Follow the instructions in the wizard to complete the configuration,

The following table contains descriptions and notes to help you configurethe network settings.

Table 8. Description of network settings for a multi-system QRadar Console deployment

Network Setting Description

Host name Fully qualified domain name

Secondary DNS server address OptionalPublic IP address for networks that useNetwork Address Translation (NAT)

Optional

Used to access the server, usually from adifferent network or the Internet.

Configured by using Network AddressTranslation (NAT) services on your networkor firewall settings on your network. (NATtranslates an IP address in one network to adifferent IP address in another network).

Email server name If you do not have an email server, uselocalhost .

After you configure the installation parameters, a series of messages aredisplayed. The installation process might take several minutes.

3. To re-add and reassign the managed hosts, log in to QRadar.https:// IP_Address_QRadarThe Username is admin.a. Click the Admin tab.b. Click the Deployment Editor icon.c. In the Deployment Editor window, click the System View tab.



33/39

d. Click Actions > Add a managed host .e. Follow the instructions in the wizard to add a host.

Select the Host is NATed option to configure a public IP address for theserver. This IP address is a secondary IP address that is used to access theserver, usually from a different network or the Internet. The Public IPaddress is often configured by using Network Address Translation (NAT)

services on your network or firewall settings on your network. NATtranslates an IP address in one network to a different IP address in anothernetwork

4. Reassign all components that are not your QRadar Console to your managedhosts .a. In the Deployment Editor window, click the Event View tab, and select the

component that you want to reassign to the managed host.b. Click Actions > Assign .c. From the Select a host list list, select the host that you want to reassign to

this component.d. On the Admin tab, click Deploy Changes .

Updating network settings after a NIC replacementIf you replace your integrated system board or stand-alone (Network InterfaceCards) NICs, you must update your IBM Security QRadar network settings toensure that your hardware remains operational.

About this task

The network settings file contains one pair of lines for each NIC that is installedand one pair of lines for each NIC that was removed. You must remove the linesfor the NIC that you removed and then rename the NIC that you installed.

Your network settings file might resemble the following example, whereNAME="eth0" is the NIC that was replaced and NAME="eth4" is the NIC that wasinstalled.# PCI device 0x14e4:0x163b (bnx2)SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*",ATTR{address}=="78:2a:cb:23:1a:2f", ATTR{type}=="1",KERNEL=="eth*", NAME="eth0"

# PCI device 0x14e4:0x163b (bnx2)SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*",ATTR{address}=="78:2a:cb:23:1a:2f", ATTR{type}=="1",KERNEL=="eth*", NAME="eth0"

# PCI device 0x14e4:0x163b (bnx2)SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*",

ATTR{address}=="78:2a:cb:23:1a:2f", ATTR{type}=="1",KERNEL=="eth*", NAME="eth4"

# PCI device 0x14e4:0x163b (bnx2)SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*",ATTR{address}=="78:2a:cb:23:1a:2f", ATTR{type}=="1",KERNEL=="eth*", NAME="eth4"

Procedure1. Use SSH to log in to the IBM Security QRadar product as the root user.

The user name is root .

Chapter 5. Network settings management 27


34/39

2. Type the following command:cd /etc/udev/rules.d/

3. To edit the network settings file, type the following command:vi 70-persistent-net.rules

4. Remove the pair of lines for the NIC that was replaced: NAME=”eth0”.5. Rename the Name= values for the newly installed NIC.

Example: Rename NAME="eth4" to NAME="eth0".6. Save and close the file.7. Type the following command: reboot .



35/39

Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not grant youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte character set (DBCS) information,contact the IBM Intellectual Property Department in your country or sendinquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan Ltd.

19-21, Nihonbashi-Hakozakicho, Chuo-kuTokyo 103-8510, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law:

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express orimplied warranties in certain transactions, therefore, this statement may not applyto you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.



36/39

IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM Corporation170 Tracer Lane,Waltham MA 02451, USA

Such information may be available, subject to appropriate terms and conditions,including in some cases, payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreement between us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurements may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products.

Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM's future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

All IBM prices shown are IBM's suggested retail prices, are current and are subjectto change without notice. Dealer prices may vary.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual business

enterprise is entirely coincidental.

If you are viewing this information softcopy, the photographs and colorillustrations may not appear.

TrademarksIBM, the IBM logo, and ibm.com ® are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries,or both. If these and other IBM trademarked terms are marked on their firstoccurrence in this information with a trademark symbol ( ® or ™), these symbols



37/39

indicate U.S. registered or common law trademarks owned by IBM at the time thisinformation was published. Such trademarks may also be registered or commonlaw trademarks in other countries. A current list of IBM trademarks is available onthe Web at Copyright and trademark information (www.ibm.com/legal/copytrade.shtml).

The following terms are trademarks or registered trademarks of other companies:

Adobe, the Adobe logo, PostScript, and the PostScript logo are either registeredtrademarks or trademarks of Adobe Systems Incorporated in the United States,and/or other countries.

Java and all Java-based trademarks and logos are trademarks or registeredtrademarks of Oracle and/or its affiliates.

Linux is a registered trademark of Linus Torvalds in the United States, othercountries, or both.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

Other company, product, and service names may be trademarks or service marksof others.

Privacy policy considerationsIBM Software products, including software as a service solutions, (“SoftwareOfferings”) may use cookies or other technologies to collect product usageinformation, to help improve the end user experience, to tailor interactions withthe end user or for other purposes. In many cases no personally identifiableinformation is collected by the Software Offerings. Some of our Software Offeringscan help enable you to collect personally identifiable information. If this SoftwareOffering uses cookies to collect personally identifiable information, specificinformation about this offering’s use of cookies is set forth below.

Depending upon the configurations deployed, this Software Offering may usesession cookies that collect each user’s session id for purposes of sessionmanagement and authentication. These cookies can be disabled, but disabling themwill also eliminate the functionality they enable.

If the configurations deployed for this Software Offering provide you as customerthe ability to collect personally identifiable information from end users via cookiesand other technologies, you should seek your own legal advice about any lawsapplicable to such data collection, including any requirements for notice andconsent.

For more information about the use of various technologies, including cookies, forthese purposes, See IBM’s Privacy Policy at http://www.ibm.com/privacy and

Notices 31

http://www.ibm.com/legal/copytrade.shtmlhttp://www.ibm.com/privacyhttp://www.ibm.com/privacyhttp://www.ibm.com/legal/copytrade.shtml


38/39

IBM’s Online Privacy Statement at http://www.ibm.com/privacy/details thesection entitled “Cookies, Web Beacons and Other Technologies” and the “IBMSoftware Products and Software-as-a-Service Privacy Statement” athttp://www.ibm.com/software/info/product-privacy.


http://www.ibm.com/privacy/detailshttp://www.ibm.com/software/info/product-privacyhttp://www.ibm.com/software/info/product-privacyhttp://www.ibm.com/privacy/details


39/39

Index

Numerics140-2 1

Aactivation keys

description 1admin account shell commands 18appliance restrictions 1architecture

components 3

B browser mode

Internet Explorer web browser 6

Ccomponents

description 3Console

components 3installing 13

crypto account shell commands 17Cryptographic Module Validation

Program (CMVP) 1Cryptographic Security Kernel 1customer support

contact information v

Ddisable automatic updates 15document mode

Internet Explorer web browser 6documentation

technical library v

Eenable FIPS mode 15

FFIPS

add managed host 22disable FIPS mode 21disabling 21edit configuration file 22restart service 22self-check 21

Ggeneral requirements 1

Iinstalling

managed host 13QRadar Console 13using USB flash drive 6

Integrated Management ModuleSee also Integrated Management

Moduleoverview 3

Llicense keys

description 1

MMagistrate

component description 3managed hosts

installing 13

Nnetwork administrator

description vnetwork settings

all-in-one Console 25changing 25multi-system deployment 26

network settings (continued)NIC replacements 27

Ppreparing

installation 21

QQRadar Console

installing 13QRadar QFlow Collector

component description 3

Ssoftware requirementsdescription 4

Ttechnical library

location v

UUSB flash drive installations 6

creating a bootable USB drive 7installing 11with Microsoft Windows 8with Red Hat Linux 9with serial-only appliances 10

use cases 21

Vverify FIPS mode 21

Wweb browser

supported versions 5

b fips siem inst

Documents