000037070 - NWArrayConfig script does not prompt to encrypt PowerVault self-encrypting drives (SED)s for RSA NetWitness Logs & Network

Document created by RSA Customer Support Employee on Jan 10, 2019Last modified by Yasmine Dowidar on Jan 10, 2019
Version 6Show Document
  • View in full screen mode

Article Content

Article Number000037070
Applies ToRSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: Security Analytics Server
RSA Version/Condition: 11.2.0.0.1
Platform: CentOS
O/S Version: 7
 
IssueWhen the NWArrayConfig script is run on NetWitness appliances with attached PowerVault storage that contains self-encrypting drives (SED)s, the script fails to prompt the user to encrypt the drives. The drives appear to be configured but no message to self-encrypt was provided. Since no prompt was displayed during the NWArrayConfig script execution, the Self-Encrypting Drives were not set to encrypt data.

This is a known issue and the fix will be in future releases of the NetWitness product. 
 
TasksUntil the fix is added into the NetWitness product by default, follow the steps below:


Installing new RPM packages



  • To extract and install the rsa-sa-tools-11.2.0.0-Powervault.zip file attached to this article, execute the following commands:

unzip rsa-sa-tools-11.2.0.0-Powervault.zip /tmp
cd /tmp
yum update ./rsa-sa-tools-11.2.0.0-1808301802.5.941817f.noarch.rpm


  • To extract and install the perccli_7.1-007.0127_linux.tar.gz file attached to this article, execute the following commands:

gunzip perccli_7.1-007.0127_linux.tar.gz 
tar -xvf perccli_7.1-007.0127_linux.tar
rpm -Uvh perccli_7.1-007.0127.noarch.rpm
ResolutionBefore running the NwArrayConfig script again the PowerVault storage will need to be manually broken down to allow the new script to run correctly. Please review the sections below that correspond to the appliance type that needs reset. If there are any concerns about proceeding with the resetting of the storage, stop and contact RSA NetWitness Support for further assistance. 

Once the appliance storage has been reset follow the original hardware setup guide for setting up PowerVault storage. You should now receive a prompt for encrypting the drives during setup.

 

Resetting a Decoder Appliance


The following procedure will reset a decoder appliance back to its pre-Powervault configuration state. This does not reset any NetWitness/Security Analytics configuration files. The below instructions are for a Network Decoder. If you have a Log Decoder change out any reference to decoder with logdecoder.

  1. SSH into the appliance with the broken Powervault setup.
  2. If the sosreport was ran on the appliance before the Powervault configuration began, retrieve the lvscan, vgscan and pvscan files from the tar.gz that was created. Compare these files to the results from the next steps. By examining the results it should be straightforward where the script stopped. Skip ahead to the step where the output files and command output does not match.
  3. Run lvscan and find any devices that contain decoder and decodersmall.

# lvscan

Example output:


ACTIVE    '/dev/decodersmall/decoroot' [30.00 GiB] inherit
ACTIVE    '/dev/decodersmall/decoinde' [10.00 GiB] inherit
ACTIVE    '/dev/decodersmall/decosess' [250.00 GiB] inherit
ACTIVE    '/dev/decodersmall/decometa' [3.35 TiB] inherit
ACTIVE    '/dev/decoder/decopack' [12.73 TiB] inherit


  1. Run lvremove against all logical volumes that were discovered in the previous step.

If an error about the logical volume being busy appears this means the logical volume is mounted by the OS. Use umount <device> to disconnect it.



  1. Run lvremove against all logical volumes that were discovered in the previous step.

If an error about the logical volume being busy appears this means the logical volume is mounted by the OS. Use umount <device> to disconnect it.




# lvremove /dev/decodersmall/decometa
# lvremove /dev/decodersmall/decoroot
# lvremove /dev/decodersmall/decoinde
# lvremove /dev/decodersmall/decosess
# lvremove /dev/decoder/decopack


  1.   Run vgscan and find any groups that contain concentrator or index.


# vgscan


Example output:



Found volume group "decodersmall" using metadata type lvm2
Found volume group "decoder" using metadata type lvm2



  1. Run vgremove against all volume groups that were discovered in the previous step.

# vgremove decodersmall
# vgremove decoder



  1. Run pvscan and find any physical volumes that have no VG names associated.

# pvscan

Example output:  



PV /dev/sdb    VG                lvm2 [3.64 TB / 0    free]
PV /dev/sda    VG                lvm2 [12.73 TB / 0    free]
Total: 3 [12.42 TB] / in use: 3 [12.42 TB] / in no VG: 0 [0   ]


  1. Run pvremove against all physical volumes that were discovered in the previous step.

# pvremove /dev/sdb
# pvremove /dev/sda


  1. Run the nwraidutil.pl script and look at its output. It can be determined what virtual drives need to be destroyed. Use the enclosure number under the physical section to find the virtual drives associated with the enclosures.  Use the following as an example
NwRaidutil Output


Notes:


  • Adapter 0: This shows the adapter that contains the virtual disks underneath it.
  • Virtual Disk 0: This is the first virtual disk on Adapter 0.
  • Virtual Disk 1: This is the second virtual disk on Adapter 0.
  • Enclosure 8: This is the physical enclosure number that can be found under the physical layout section.
 


  1.  Using the information retrieved from the previous step, run the following PercCli command to break the virtual drives. 


# /opt/MegaRAID/Perc/percli64 /cx/vx del force


Notes


  • There is no space between the /cx and /vx options
  • Change the x in /cx to the Adapter number, which for our example is 0
  • Change the x in /vx to the Virtual Disk number, which for our example is either 0 or 1. If you want to remove all virtual disks on the adapter use /vall
Example output:


# /opt/MegaRAID/Perc/percli64 /c0/vall del force



  1. Once the virtual drives are destroyed the appliance is back to its default, out of the box, configuration.
 

Resetting a Concentrator Appliance


The following procedure will reset a concentrator appliance back to its pre-Powervault state. This does not reset any NetWitness/Security Analytics configuration files. These steps may vary slightly do to different versions of creation scripts. 

 


  1. SSH into the appliance with the broken Powervault setup.
  2. If the sosreport was run on the appliance before the powervault configuration began, retrieve the lvscan, vgscan and pvscan files from the tar.gz that was created. Compare these files to the results from the previous step.  By examining the results it should be straightforward where the script stopped. Skip ahead to the step where the output files and command output does not match.
  3. Run lvscan and find any devices that contain concentrator or index in them.


# lvscan



  1. Run lvremove against all logical volumes that were discovered in the previous step. 

# lvremove /dev/concentrator/metadb
# lvremove /dev/index/index
# lvremove /dev/concentrator/sessiondb
# lvremove /dev/concentrator/root

If an error about the logical volume being busy appears this means the logical volume is mounted by the OS. Use umount <device> to disconnect it.


  1. Run vgscan and find any groups that contain concentrator or index.

# vgscan

Example output:


Found volume group "index" using metadata type lvm2
Found volume group "concentrator" using metadata type lvm2




  1. Run vgremove against all volume groups that were discovered in the previous step.

# vgremove concentrator
# vgremove index



  1. Run pvscan and find any physical volumes that have no VG names associated.

# pvscan

Example output:




PV /dev/sdc     VG                lvm2 [1.36 TB /0   free]
PV /dev/sdd     VG                lvm2 [10.91 TB /0  free]


  1. Run pvremove against all physical volumes that were discovered in the previous step.

# pvremove /dev/sdc
# pvremove /dev/sdd


  1. Run the nwraidutil.pl script and look at its output. It can be determined what virtual drives need to be destroyed. Use the enclosure number under the physical section to find the virtual drives associated with the enclosures.  Use the following as an example.
User-added image



  • Adapter 0: This shows the adapter that contains the virtual disks underneath it.
  • Virtual Disk 0: This is the first virtual disk on Adapter 0.
  • Virtual Disk 1: This is the second virtual disk on Adapter 0.
  • Enclosure 8: This is the physical enclosure number that can be found under the physical layout section. 



  1. Using the information retrieved from the previous step, run the following Percli command command to break the virtual drives. 

# /opt/MegaRAID/Perc/percli64 /cx/vx del force


  • There is no space between the /cx and /vx options
  • Change the x in /cx to the Adapter number, which for our example is 0
  • Change the x in /vx to the Virtual Disk number, which for our example is either 0 or 1. If you want to remove all virtual disks on the adapter use /vall
Example Output:



# /opt/MegaRAID/Perc/percli64 /c0/vall del force


  1. Once the virtual drives are destroyed the appliance is back to its default, out of the box, configuration.

Outcomes