System Maintenance: Change Host IP Addresses

Document created by RSA Information Design and Development on Apr 10, 2019Last modified by David O'Malley on Jun 18, 2019
Version 4Show Document
  • View in full screen mode

This topic describes how to change IP addresses for NetWitness Servers and component hosts. This covers how to change the IP address for:

Change an NW Server Host IP Address

To change the IP address of an NW Server host:

  1. Remove hosts from Hosts view in NetWitness Platform User Interface (UI).

    1. Log into the NetWitness Platform UI.
    2. Go to ADMIN > Hosts.
    3. Select all the hosts except for NW Server host, click the arrow next to the (delete icon), and select Remove Host to remove the hosts.

      Warning: Do NOT remove the NW Server host.

  2. Get the UUIDs of NW Server host and component hosts.
    1. SSH to the NW Server host.
    2. Run the following command to get the UUID of the NW Server host.
      cat /etc/salt/minion
      This is an example of the UUID for an NW Server host.
      id: ba847be4-afca-4df4-beca-e6df7ac3a228

    3. On the NW Server host, run the following command.
      orchestration-cli-client -k
      A list of host profile information is displayed, including UUIDs for each host. UUIDs host s are shown in bold in the following example.
      Key: ID=a3f9d06f-4f67-4721-9e74-1f127e24e4ad, STATUS=Provisioned
      Key: ID=992dcb26-39c2-4c29-b9c9-7f5e98f3c542, STATUS=Provisioned
      Key: ID=f8b8c231-3a04-482a-b4ed-5abe4a242441, STATUS=Provisioned
  3. Remove UUIDs for all hosts except the NW Server host.
    In this step you remove the UUID of each host that was removed from the UI in the previous step.

    Note: Make sure you DO NOT remove UUID for NW Server host itself .

    1. SSH to the NW Server host.
    2. Run the following command for each host that was removed from the UI, replacing <UUID> with the UUID of the host:
      orchestration-cli-client --remove-key <UUID>
      For example:
      orchestration-cli-client --remove-key a3f9d06f-4f67-4721-9e74-1f127e24e4ad

    3. Run the following commands.
      rm -f /etc/netwitness/platform/legacy_mongo/*
      rm -f /etc/netwitness/platform/legacy_rabbit/*
  4. Change the IP address of the NW Server host.

    1. SSH to the NW Server host and run the following command, substituting the new IP address for <desired_admin_ip>.
      security-cli-client --set-config-prop --prop-hierarchy nw --prop-name rsa.data.control.servers[0] --prop-value <desired_admin_ip>

    2. Run the following command to verify the IP address change.
      security-cli-client --get-config-prop --prop-hierarchy nw --prop-name rsa.data.control.servers[0]
      This command returns the new NW Admin IP address.
    3. If you are changing the IP address of the primary ESA server, make sure that your NW Server host is pointing to the right application of the MongoDB by running the following command.
      security-cli-client --set-config-prop --prop-hierarchy nw --prop-name rsa.data.application.servers[0] --prop-value <desired_esa_ip>
    4. Run the following command to verify the existing ESA Primary IP address.
      security-cli-client --get-config-prop --prop-hierarchy nw --prop-name rsa.data.application.servers[0]
  5. Edit the MongoDB on the NW Server host.
    1. SSH to the NW Server host and log onto the MongoDB instance on the NW Server host by running the following command.
      mongo admin -u deploy_admin -p
    2. When you are prompted, enter the deploy_admin password.
    3. Remove user IDs with the attributes of sms, esm, les, asg, and sa.
      1. Run the following commands in the order given.
        use admin
        db.system.users.remove({_id: "sms.sms"})
        db.system.users.remove({_id: "esm.esm"})
        db.system.users.remove({_id: "les.les"})
        db.system.users.remove({_id: "asg.asg"})
        db.system.users.remove({_id: "sa.sa.<sa-server-server_id>})

        You can use the following command string to get the <sa-server-server_id>.
        cat /etc/netwitness/platform/nodeinfo/sa-server/service-id
      2. Verify that these user IDs have been removed by running the following command.
        db.system.users.find()
    4. Update the host IP address by running the following commands in the order given, replacing <old_ip> with the original IP address of the host, and <new_ip> with the new IP address.

      Note: Only change the NW Server host IP address entry as needed.

      1. use orchestration-server
      2. db.host.update({ "hostname" : "<old_ip>" },{$set: {"hostname" : "<new_ip>"}})

    5. Verify that the IP address has been updated and exit by running the following commands.
      1. db.host.find()
      2. exit
    6. Update the host IP address for the MongoDB hosts for sms, esm, les, and asg by running the following commands, replacing <old_ip> with the original IP address of the host, and <new_ip> with the new IP address.
      1. sed -i 's/<old_admin_ip>/<new_admin_ip>/g' /opt/rsa/sms/conf/smsMongoDbConfig.json
      2. sed -i 's/<old_admin_ip>/<new_admin_ip>/g' /opt/rsa/sms/conf/esmMongoDbConfig.json
      3. sed -i 's/<old_admin_ip>/<new_admin_ip>/g' /opt/rsa/sms/conf/lesMongoDbConfig.json
      4. sed -i 's/<old_admin_ip>/<new_admin_ip>/g' /opt/rsa/sms/conf/asgMongoDbConfig.json
      5. Run the following commands and respond to the following prompts on the NW Server to update the deploy_admin password.
        cd /opt/rsa/saTools/bin

        ./set-deploy-admin-password

        Please enter the old deploy_admin account password:
        <old-deploy-admin-password>
        Please enter the new deploy_admin account password:
        <new-deploy-admin-password>

      6. Enter the old and new password to update it.
  6. Run the nwsetup-tui (Setup program) on the NW Server host.
    1. For this step, you use the same tool to update the IP address as you did for the original installation of NetWitness Platform (nwsetup-tui). You must run nwsetup-tui from a console session (for example, Dell iDRAC). Most of the prompts are the same. The ones that are unique to changing the IP address are described here.
      1. In the NetWitness Platform Install or Upgrade pane, select option 1 Install (Fresh Install).
      2. If you see the following warning, click Yes to continue.

        Note: You must use the same Master and Deploy Admin credentials that you used when you originally installed this host.

        You are prompted for the following information.

        IP Address
        Subnet Mask
        Default Gateway
        Primary DNS Server
        Secondary DNS Server
        Local Domain Name

      3. (Conditional) If you imaged the host with a buildstick and selected NW Server host, you may need to:
        • Select option 2 An External Repo (on an externally-managed server) in response to the following prompt:
        • Select the appropriate directory, for example:
          https://nw-node-zero/nwrpmrepo
    2. After you complete the nwsetup-tui steps, run the following command.
      rm /etc/netwitness/security-client/security-client-amqp.yml
    3. Reboot the host.
  7. Add the component hosts back to NW Server host.
    After you complete the nwsetup-tui steps, you must add the component hosts, that were removed in step "1. Remove hosts from Hosts view in NetWitness Platform User Interface (UI)," back to the NW Server host.

Change an ESA Host IP Address

This section tells you how to change an ESA host IP address under the following two scenarios.

Change NW Server Host Address and Keep the Same ESA Host IP Address

To change the NW Server host IP address and keep the same ESA IP address:

  1. Update NW Server host IP address references on ESA hosts.
    1. SSH to the ESA host.
    2. Change the IP address of the NW Server host to the new IP address by using the following commands in the order given:
      vi /etc/hosts
      vi /etc/salt/minion
  2. Run the nwsetup-tui on the ESA host.
    1. Run nwsetup-tui and follow the instructions in the prompts.
    2. After you complete the nwsetup-tui steps, run the following command:
      rm /etc/netwitness/security-client/security-client-amqp.yml
  3. Set up the ESA host as the Primary ESA host on the NW Server host.
    1.  Log into the NetWitness Platform UI.
    2.  Go to ADMIN > Hosts.
    3. Click Discover.
      The ESA host is displayed in the New Hosts dialog.
    4. Select the host and click Enable. For example:
       
      The host is displayed in the Hosts view.
    5. Select the ESA host and click Install.
      The Install Services dialog is displayed.
    6.  In Category, click the arrow and select ESA Primary.
  4. Add ESA services to deployments that you have defined, because the services are not associated with the deployments.
    1. Log into the NetWitness Platform UI.
    2. Go to CONFIGURE > ESA Rules.
    3. Select a deployment, and under ESA Services, click (add icon) to add the services to the deployment, as shown in the following image.

Change an ESA Primary Host IP Address Only

To change the IP address of the ESA host only:

  1. Remove an ESA Primary host from the NW Server host.
    1. Log into the NetWitness Platform UI.
    2. Go to ADMIN > Hosts.
    3. Select the ESA host, click the arrow next to the (delete icon), and select Remove Host to remove the host.
  2. Remove the UUID of the ESA Primary Host:
    1. SSH to the ESA Primary host and get the UUID for the ESA host using the following command:
      cat /etc/salt/minion
    2. SSH to the NW Server host and run the following command for the ESA Primary host that was removed from the UI, replacing <UUID> with the UUID of the ESA Primary host:
      orchestration-cli-client --remove-key <UUID>
      For example:
      orchestration-cli-client --remove-key a3f9d06f-4f67-4721-9e74-1f127e24e4ad
  3. Set up the NW Server host to point to the correct MongoDB host.
    1. If you are changing the IP address of the primary ESA server, make sure your that your NW Server host is pointing to the right application of the MongoDB by running the following command on the NW Server host:
      security-cli-client --set-config-prop --prop-hierarchy nw --prop-name rsa.data.application.servers[0] --prop-value <desired_esa_ip>
    1. Run the following command to verify the existing ESA Primary IP address:
      security-cli-client --get-config-prop --prop-hierarchy nw --prop-name rsa.data.application.servers[0]
  4. Run nwsetup-tui on the ESA Primary host.
    1. For this step, you use the same tool to update the IP address as you did for the original installation of NetWitness Platform (nwsetup-tui). You must run nwsetup-tui from a console session (for example, Dell iDRAC). Most of the prompts are the same. The ones that are unique to changing the IP address are described here.
      1. In the NetWitness Platform Install or Upgrade pane, select option 1 Install (Fresh Install).
      2. If you see the following warning, click Yes to continue.

        Note: You must use the same Master and Deploy Admin credentials that you used when you originally installed this host.

        You are prompted for the following information.
        IP Address
        Subnet Mask
        Default Gateway
        Primary DNS Server
        Secondary DNS Server
        Local Domain Name

      3. After you complete the nwsetup-tui steps, run the following command.
        rm /etc/netwitness/security-client/security-client-amqp.yml
  5. Add the ESA Primary host back to the NW Server host to set it up as the Primary ESA host.
    1. Log into the NetWitness Platform UI.
    2. Go to ADMIN > Hosts.
    3. Click Discover.
      The ESA Primary host is displayed in the New Hosts dialog.
    4. Select the host and click Enable. For example:
       
      The ESA host is displayed in the Hosts list.
    5. Click Install.
      The Install Services dialog is displayed.
    6. In Category, click the arrow and select ESA Primary.
    7. Reboot the ESA host.
    8. Reboot the NW Server host.
  6. Add ESA services to deployments that you have defined because the services are not associated with the deployments.
    1. Log into the NetWitness Platform UI.
    2. Go to CONFIGURE > ESA Rules.
    3. Select a deployment, and under ESA Services, click (add icon) to add the services to the deployment, as shown in the following image.

Change a Component IP Address

This section tells you how to change the IP address of a component host (that is Archiver, Broker, Concentrator, Endpoint Log Hybrid , ESA Secondary, Log Hybrid, Malware, Network Decoder Network Hybrid, and UEBA host) under the following two scenarios.

Change NW Server Host IP Address and Keep Same Component Host IP Addresses

To change the NW Server host IP address and retain the component hosts IP addresses:

  1. Update NW Server host IP address references on component hosts.
    1. SSH to the component host
    2. Change the IP address of the NW Server host to the new IP address by using the following commands in the order given:
      vi /etc/hosts
      vi /etc/salt/minion
  2. Run nwsetup-tui on the component host.
    1. Run nwsetup-tui and follow the instructions in the prompts.
    2. After you complete the nwsetup-tui steps, run the following command:
      rm /etc/netwitness/security-client/security-client-amqp.yml
  3. Set up a component host on the NW Server host.
    1. Log into the NetWitness Platform UI.
    2. Go to ADMIN > Hosts.
    3. Click Discover.
      The component host is displayed in the New Hosts dialog.
    4. Select the host and click Enable. For example:
       
      The component host is displayed in the Hosts list.
    5. Click Install.
      The Install Services dialog is displayed.
    6. In Category, click the arrow and select the appropriate host type
    7. Reboot the NW Server host
    8. Reboot the component host.

Change a Component IP Address Only

To change a component host IP address:

  1. Remove the component host from the NW Server host using the UI:
    1. Log into the NetWitness Platform UI.
    2. Go to ADMIN > Hosts.
    3. Select the component host click the arrow next to the (delete icon), and select Remove Hostto remove the host.
  2. Remove the UUID of the component Host:
    1. SSH to the component host and get the UUID for the host by running the following command:
      cat etc/salt/minion
    2. SSH to the NW Server host and run the following command for the component host that was removed from the UI, replacing <UUID> with the UUID of the host:
      orchestration-cli-client --remove-key <UUID>
      For example:
      orchestration-cli-client --remove-key a3f9d06f-4f67-4721-9e74-1f127e24e4ad
  1. Run nwsetup-tui.
    For this step, you use the same tool to update the IP address as you did for the original installation of NetWitness Platform (nwsetup-tui). You must run nwsetup-tui from a console session (for example, Dell iDRAC). Most of the prompts are the same. The ones that are unique to changing the IP address are described here.
    1. In the NetWitness Platform Install or Upgrade pane, select option 1 Install (Fresh Install).
    2. If you see the following warning, click Yes to continue.

      Note: You must use the same Master and Deploy Admin credentials that you used when you originally installed this host.

      You are prompted for the following information.
      IP Address
      Subnet Mask
      Default Gateway
      Primary DNS Server
      Secondary DNS Server
      Local Domain Name

    3. After you complete the nwsetup-tui steps, run the following command.
      rm /etc/netwitness/security-client/security-client-amqp.yml
  2. Set up the component host on the NW Server host.
    1. Log into the NetWitness Platform UI.
    2. Go to ADMIN > Hosts.
    3. Click Discover.
      The component host is displayed in the New Hosts dialog.
    4. Select the host and click Enable. For example:
       
      The component host is displayed in the Hosts list.

    Note: If the component host is the ESA secondary host, after this host is displayed in the Hosts list, you see only one service on this host. You need to select ESA Secondary as the Category in the following steps to install both the Correlation and Entity Behavior Analytics services on this host.

    1. Click Install.
      The Install Services dialog is displayed.
    2. In Category, click the arrow and select the appropriate service category.
  3. Reboot the component host.
  4. Reboot the NW Server host.

Change Log Decoder-Log Collector with Remote Collectors IP Address

If you have Log Decoders set up with Remote Collectors, you must delete the Remote Collectors before you change the Log Decoder/Log Collector host IP address, and add the Remote Collectors back after the IP address has been changed.

To change a Log Decoder/Log Collector host IP address that has Remote Collectors:

  1. Remove Remote Collectors.
    1. Log into the NetWitness Platform UI.
    2. Go to ADMIN > Services.
    3. Select the Log Decoder service with Remote Collectors and click View > Config.
    4. Select the Remote Collectors and click the arrow next to the (delete icon) to remove them.
  2. Change the Log Decoder host IP address.
    Follow the steps described in under Change IP Address of a Component Host to change the Log Decoder host.
  3. Add Remote Collectors.
    1. Log into the NetWitness Platform UI.
    2. Go to ADMIN > Services.
    3. Select the Log Decoder service and click View > Config.
    4. Click (add icon) to add the Remote Collectors.

Change VLC IP Address

You must remove all entries from Destination Groups before you change the Virtual Log Collector (VLC) IP address, and then add the Destination Group entries back after the IP address has been changed.

  1. Remove Destination Group Entries
    1. Log into the NetWitness Platform UI.
    2. Go to ADMIN > Services.
    3. Select the VLC service and click View > Config.
    4. On the Local Collectors tab, select Destinations from the Select Configuration menu.
    5. Select the destinations and click the (delete icon) to remove them.
  2. Change VLC host IP address.
    Follow the steps described in under Change IP Address of a Component Host to change the VLC host IP address.
  3. Add Destination Group entries.
    1. Log into the NetWitness Platform UI.
    1. Go to ADMIN > Services.
    2. Select the VLC service and click View > Config.
    3. On the Local Collectors tab, select Destinations from the Select Configuration menu.
    4. Click (add icon) to add the Destination Group entries.

 

Previous Topic:Configure FIPS Support
You are here

Table of Contents > Change Host IP Addresses

Attachments

    Outcomes