Key takeaways

  • Covers installation prerequisites, SSL setup, licensing, and validation.
  • Includes QRadar integration checks, upgrade guidance, and rollback basics.
  • Adds administrator command snippets for base URL, certificates, services, and health checks.

Overview

This writeup is adapted from the public repository yamangit/Qradar-SOAR-SOP and turns the SOP into a readable web article for DevSecurityHub. It is aimed at authorized administrators deploying IBM QRadar SOAR in enterprise environments and wanting one operational reference for setup and ongoing maintenance.

Responsible Use And Scope

This SOP is intended for authorized enterprise administrators. Run commands only on QRadar SOAR appliances and integrations that belong to your organization or lab. Replace all placeholder domains, certificate names, and account values before execution, and follow your internal change-management process.

Installation prerequisites

  • SOAR Version: 51.0.6.2.23
  • Deployment Type: Virtual Appliance (OVA)
  • Files: soar-51.0.6.2.23.run or ova
  • SSL materials: RootCA.pem, cert.pem, key.pem, Intermediate.pem
  • Required ports: 443, 65000, 65001
  • FQDN format: soar.<yourdomain>
  • License file: License.txt

Important: replace placeholder values such as <yourdomain> with environment-specific values before execution.

Deployment Flow

flowchart LR prereq["Validate prerequisites"] --> base["Set base URL"] base --> ssl["Import SSL materials"] ssl --> services["Restart resilient services"] services --> org["Create organization and admin"] org --> qradar["Trust QRadar certificate"] qradar --> license["Import and verify license"] license --> validate["Run operational validation"]

Base configuration and SSL setup

Set the platform base URL:

sudo resutil configset -baseurl 'https://soar.<yourdomain>'
sudo resutil configget -baseurl

Convert certificates into PKCS12 and import them into the SOAR keystore:

sudo openssl pkcs12 -export -out cert.p12 -inkey key.pem -in cert.pem -certfile RootCA.pem
sudo keytool -importkeystore -srckeystore cert.p12 -srcstoretype pkcs12 -srcalias 1 \
-destkeystore keystore -destalias co3 \
-deststorepass "$(sudo resutil keyvaultget -name keystore)" \
-destkeypass "$(sudo resutil keyvaultget -name keystore)"

Back up and replace the active keystore:

sudo cp /crypt/certs/keystore /crypt/certs/keystore.save
sudo cp keystore /crypt/certs/keystore

Hostname, timezone, and services

Apply the hostname and timezone, then restart the core services:

sudo hostnamectl set-hostname soar.<yourdomain>
sudo timedatectl set-timezone Asia/Kathmandu
sudo systemctl restart resilient resilient-messaging

Create the initial organization and admin user:

sudo resutil newuser -createorg -email "your_name@yourdomain" \
-first "<First_Name>" -last "<Last_Name>" -org "<Your_Organization>"

QRadar certificate trust and integration

Export the QRadar certificate and place it into the custom trust store:

openssl s_client -connect <qradar_domain:443> -tls1_2 -showcerts </dev/null 2>/dev/null | \
openssl x509 -outform PEM > qradar.pem

sudo cp qradar.pem /crypt/certs/custcerts
sudo keytool -importcert -trustcacerts -file qradar.pem -alias <qradar_domain> -keystore /crypt/certs/custcerts
sudo systemctl restart resilient resilient-messaging

Suggested QRadar integration checks:

  • QRadar API token is created
  • Network connectivity on port 443 is open
  • QRadar certificate has been imported successfully
  • Connection test succeeds in the SOAR integration UI
  • Offenses and artifacts are ingested as expected
sequenceDiagram participant Admin as SOAR Admin participant SOAR as QRadar SOAR participant Trust as Custom Trust Store participant QRadar as QRadar Admin->>QRadar: Export HTTPS certificate Admin->>Trust: Import QRadar certificate Admin->>SOAR: Restart resilient services SOAR->>QRadar: Test API connection over HTTPS QRadar-->>SOAR: Return offenses and artifacts SOAR-->>Admin: Integration validation result

License and validation

Import the license and verify status:

sudo license-import --file <path_to_license_file>
sudo resutil license

Operational validation checklist:

  • HTTPS access works without browser certificate warnings
  • License status shows valid
  • Hostname and timezone are correct
  • Organization and initial user are visible
  • No major errors appear under /var/log/resilient/

Upgrade, rollback, and hardening

Run upgrades carefully after snapshots and backups:

sudo ./soar-<new_version>.run

Recommended pre-upgrade steps:

  • Snapshot the VM
  • Back up /crypt/certs
  • Export workflows and integrations
  • Verify license validity before starting

Rollback basics:

  • Power off the VM
  • Restore the snapshot
  • Validate services, certificates, and license status

Security hardening baseline:

  • Disable root SSH login
  • Enforce key-based authentication
  • Restrict firewall ports
  • Apply least-privilege RBAC
  • Rotate API tokens quarterly
  • Monitor audit logs

Automated health check

This lightweight health check helps confirm that critical services and the UI remain available:

#!/bin/bash
echo "SOAR Health Check"

systemctl is-active resilient resilient-messaging || echo "Service issue"
resutil license | grep -i valid || echo "License issue"
curl -k https://localhost | grep -i html || echo "UI issue"

echo "Health check completed"

Quick reference:

flowchart LR login["Login"] --> baseUrl["Base URL"] baseUrl --> cert["SSL"] cert --> restart["Restart"] restart --> org["Create Org"] org --> qradarCert["QRadar Cert"] qradarCert --> license["License"] license --> validate["Validate"]