Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > Author: Miho Sjoquist

RSA NetWitness Platform

2 Posts authored by: Miho Sjoquist Employee

The Security Analytics/NetWitness Suite Patch releases can be installed on Service Packs, but not on major releases. For example, can be installed on but not on This also means that the patch release upgrade packages only contain the rpms that are needed to upgrade from the nearest service packs.

If the latest patch was not applied to all appliances at the same time, you need to use a workaround to update them.



  • SA server, Log Collector, and Concentrator have been built from the 10.6.0 OVA.
  • Connection to Live Update Repository was turned off.
  • SA Server and Log Collector were upgraded to 10.6.1 by using the split zip packages (7 zip files). But the Concentrator was left as


Case 1

The 10.6.1 upgrade package was removed from the local repo (SA UI -> Systems -> Updates -> Settings -> Manage Repository. Select and remove 10.6.1).

Now the packages (5 zip files) were uploaded.


SA Server and LC can be upgraded to But Concentrator only sees as a possible upgrade.



1. Load 10.6.1 so that there will be both 10.6.1 and in the local repo.

2. Log into the Concentrator console.

3. Copy the /etc/yum.repos.d/RSASoftware.repo file and create the temp.repo file under the same location. In the temp.repo file, change the last section of the baseurl with the actual release number to 10.6.1 (SA server's local repo folder.)



4. From a command prompt, run “yum clean all”, followed by “ yum check-update”. At this point, you should be able to see the SA rpms returned.

6. Run “yum update –y

7. After a successful upgrade, delete the temp.repo file.



Case 2

From the end of Case 1 --- After upgrading the SA server to, add a new ESA.



The new ESA was provisioned successfully.
The only update option available to the ESA is but only sees as a possible upgrade.


The same workaround above will work for ESA.


This scenario came from Michael McGillick originally a couple of months ago. I thought that above information is worth sharing.

Thank you Melinda Zelenkov for reviewing this post.

Per request from external teams, I experimented with the NetWitness Suite/Security Analytics 10.6.2 Upgrade in mixed-mode installation.


Case 1: SA 10.6.2 and a new host in 10.5.2


  • SA server has been upgraded from 10.6.0 to 10.6.2 using the split zip files.
  • Another host (Decoder) has been built from the 10.5.0 OVA and was upgraded to 10.5.2. 


  • SA 10.6.2 - to - Decoder 10.5.2 provisioning was successful.
  • Upgrade to 10.6.2  is available on the HOST screen and the upgrade was successful. 


Case 2: SA 10.6.2 and new host in 10.6.0


  • SA server has been upgraded to 10.6.2 using the split zip files
  • A new host (Concentrator) has been built from the 10.6.0 OVA.


  • SA 10.6.2 - to - Decoder 10.6.0 provisioning was successful.
  • The new 10.6.0 host can be upgraded using rpms in SA's repo. 


Case 3: WLC on Win2K12 and SA 10.6.0 / 10.6.2 setups


  • WLC on Win2K12 and added WLC to 10.6.0 / 10.6.2 setup and tested the functionality of LC and could see all events Concentractor


  • Upgraded to WLC -> 10.6.2 on WIN2K12 and noticed that NwLogCollector Service crash post upgrade(ASCO-27227).

PEM file issue

If you are upgrading from a new 10.6.0.x systems (from a 10.6.0 image) to 10.6.2 for the first time and you are using SMCUpdate, you must run the following command to create a PEM file.

/# touch /etc/pki/CA/certs/RSACorpCAv2.pem

This workaround has been noted in the 10.6.1 Update Instructions (page 15, Task 8) but not in the 10.6.2 Update Instructions. 

This isn't an issue if you are using 10.6.2 upgrade zip files.

The issue won't be fixed until the next image is released.


Note: Background image is Lake Assal is Djibouti. I'm dreaming of a sunny and warm place...

Filter Blog

By date: By tag: