000037003 - RSA NetWitness Endpoint REST API scan machine produces error messages

Document created by RSA Customer Support Employee on Dec 13, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037003
Applies ToRSA Product Set: NetWitness Endpoint
RSA Product/Service Type: NetWitness Endpoint
RSA Version/Condition:
Platform: Windows
IssueThe REST API is failing to send a scan, either for a REST integration, or using the swagger interface built natively into the REST API. This is based on the POST scan option in the UI. The path is:

A successful send message will return Response Code 200

User-added image
CauseThe cause is due to a few possibilities:
  1. The first is that some options are mutually exclusive. When using the scan options, FilterSigned and FilterTrustedRoot are mutually exclusive. So if one is selected as true, the other must be false.
  2. It's possible the GUID value was entered wrong, which will miss the correct agent assignment for the scan
  3. ScanCategory is a decimal number that is listed under the ScanCategory section in the Swagger UI and must be given correct values to determine the level of scan.
  4. The remaining issues would be attributed typically to an issue with permissions in the REST API, either incorrect permissions for the REST user or a SQL connection issue for the REST API.
ResolutionCheck off each issue one at a time:
  1. Make sure the FilterSigned and FilterTrustedRoot are both not set to True, these two are mutually exclusive options.
  2. The GUID uses the same value as the AgentID in the UI. It's typically easiest to copy/paste directly from the UI when entering a value here.
  3. Using different combinations of scan categories is as simple as adding their values together. It is written specifically for this purpose, and when entered correctly, will initiate a scan with whatever options were chosen from the scan list.
  4. If the above has been tried and still it is giving an error message, check the ApiServer-Error.log file. Typically, it should indicate a SQL connection error or otherwise permissions error. In this case, it's likely the REST user has no permissions to initiate a scan in the database.

NOTE: Avoid using the default REST admin user for this task. It is meant for administration, create a user that has scanning level permissions in the ECAT_Permissions under User Mapping inside MSSQL for the REST user.