Deployment Guide: Optional Setup Procedures

Document created by RSA Information Design and Development on Apr 11, 2019Last modified by David O'Malley on Jun 4, 2019
Version 9Show Document
  • View in full screen mode

Group Aggregation

Hybrid Categories on the NW Server

Second Endpoint Server

Warm Standby NW Server

Group Aggregation

You use Group Aggregation to configure multiple Archiver or Concentrator services as a group and share the aggregation tasks between them. You can configure multiple Archiver services or Concentrator services to efficiently aggregate from multiple Log Decoder services to improve query performance on the data:

  • Stored in the Archiver.
  • Processed through the Concentrator.

RSA Group Aggregation Deployment Recommendations

RSA recommends the following deployment for Group Aggregation:

  • 1 - 2 Log Decoders
  • 3 - 5 Archivers or Concentrators

Advantages of Using Group Aggregation

  • Increases the speed of RSA NetWitness® Platform queries.
  • Improves the performance of aggregate queries (Count and Sum) on the environment.
  • Enhances investigation service performance.
  • Gives you the option of storing data for a longer duration for investigation purposes.

The following diagram illustrates Group Aggregation.

Group Aggregation Illustration

You can have any number of Archivers or Concentrators grouped together and form an aggregation group. The Archiver or Concentrator services in the group divide all the aggregated session between them based on the number of sessions defined in the Aggregate Max Sessions parameter.

For example, in an aggregation group containing two Archiver services or two Concentrator services with the Aggregate Max Sessions parameter, set to 10000 the services would divide the session between themselves as illustrated in the following table.

Archiver 0 or Concentrator 0 Archiver 1 or Concentrator 1
1 - 9,99910,000 - 19,999
20,000 - 29,99930,000 - 39,999
40,000 - 49,99950,000 - 59,999

Configure Group Aggregation

Complete this procedure to configure multiple Archiver or Concentrator services as a group and share the aggregation tasks between them.

Prerequisites

Plan the network design for group aggregation. The following figure is an example of a group aggregation setup.

Group Aggregation Setup example

Ensure that you understand the Group aggregation parameters in the following table, and create a group aggregation plan.

ParameterDescription
Group NameIt determines the group to which the Archiver or Concentrator belongs.
You can add any number of groups aggregating data from a Log Decoder. The Group Name parameter is used by the Log Decoder to identify which Archiver or Concentrator services are working together. All Archiver or Concentrator services in the group should have the same group name.
SizeIt determines the number of Archiver or Concentrator services in the aggregation group.
Member NumberIt determines the position of the Archiver or Concentrator in the aggregation group. For a group of size N, member number from 0 to N-1 must be set on each of the Archiver or Concentrators services in the aggregation group.
For example: If the size of the aggregation group is 2, the member number of one of the Archiver or Concentrator service should be set to 0 and the member number of the other Archiver or Concentrator should be set to 1.
Membership Mode

There are two membership modes:

  • New: Adding a new Archiver or Concentrator service as a member to the existing aggregation group or creating an aggregation group. The Archiver or Concentrator service does not aggregate any existing sessions from the service as other members of the group would have already aggregated all the sessions on the service. This Archiver or Concentrator service will only aggregate new sessions as they appear on the service.
  • Replace: Replacing an existing aggregation group member. The Archiver or Concentrator will begin aggregation from the oldest session available on the service it is aggregating from.

Note: Membership mode parameter has an effect only when no sessions have been aggregated from the service. After some sessions are aggregated, this parameter has no effect.

Set up Group Aggregation

This workflow shows the procedures you complete to configure group aggregation.

 

Complete the following steps to set up group aggregation.

  1. Configure multiple Archiver or Concentrator services in your environment. Make sure that you add the same Log Decoder as data source to all the services.
  2. Perform the following on all the Archiver or Concentrator services that you want to be part of aggregation group:

    1. Go to ADMIN > Services.
    2. Select the Archiver or Concentrator service, and in the Actions column, select View > Config.
      The Service Config view of the Archiver or Concentrator is displayed.
    3. In the Aggregate Services section, select Log Decoder.
    4. Click Toggle Service to change the status of the Log Decoder to offline if it is online.
    5. Click Edit.

      The Edit Aggregate Service dialog is displayed.

      Edit Aggregate Service

    6. Click group_aggregation_button.png.

      The Edit Group Aggregation dialog is displayed.

      Edit Group Aggregation

    7. Select the Enabled checkbox and set the following parameters:

      • In the Group Name field, type the group name.
      • In the Size field, select the number of Archiver or Concentrator services in the aggregation group.
      • In the Member Number field, select the position of the Archiver or Concentrator in the aggregation group.
      • In the Membership Mode drop-down menu, select the mode.
    8. Click Save.
    9. In the Service Config View page, click Apply.
    10. Perform Step b to Step i on all other Archiver or Concentrator services that need to be part of group aggregation.
  3. In the Aggregation Configuration section, set the Aggregate Max Sessions parameter set to 10000.

     

Hybrid Categories on NW Server

You can install Hybrid Categories such as Log Hybrid and Network (Packet) Hybrid service categories on a Series 6 (R640) Physical host. This gives you the ability to attach multiple PowerVault external storage devices to the Series 6 (R640) Physical host.

Second Endpoint Server

Complete the following procedure to deploy a second Endpoint Server.

  1. Set up a new host in NetWitness Platform.
    • For a physical host, complete steps 1 to 14 inclusive in the in "Task 2 - Install 11.3 on Other Component Hosts" under "Installation Tasks" of the Physical Host Installation Guide. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.
    • For a virtual host, follow the instructions in the Virtual Host Installation Guide in "Task 2 - Install 11.3 on Other Component Hosts" under "Step 4. Install RSA NetWitness Platform."

  2. SSH to the host that you set up in step 1.
  3. Submit the following command string.
    mkdir -p /etc/pki/nw/nwe-ca

    Note: You do not need to modify permissions.

  1. Copy the following two files from the previously deployed endpoint server to the new/second endpoint server:
    /etc/pki/nw/nwe-ca/nwerootca-cert.pem
    /etc/pki/nw/nwe-ca/nwerootca-key.pem
  2. Install Endpoint on the host.
    1. Log into NetWitness Platform and go to ADMIN > Hosts.
      The New Hosts dialog is displayed with the Hosts view grayed out in the background.

      Note: If the New Hosts dialog is not displayed, click Discover in the Hosts view toolbar.

    2. Select the new host in the New Hosts dialog and click Enable.
      The New Hosts dialog closes and the host is displayed in the Hosts view.

    3. Select that host in the Hosts view (for example, Endpoint Server II) and click .
      The Install Services dialog is displayed.

    4. Select Endpoint in Host Type and click Install.

Warm Standby NW Server Host

The Warm Standby NW Server duplicates the critical components and configurations of your active NW Server Host to increase reliability.

A secondary NW Server remains in the standby role and, when configured, receives backups of the primary NW Server in the active role at regular intervals. If the primary NW Server fails (goes offline), the fail-over procedure must be executed allowing the secondary NW Server to assume the active role.

When you set up a secondary NW Server as a Warm Standby, a failure or scheduled switch from the primary NW Server to the secondary NW Server is referred to as a fail-over. You fail back to return to the normal operating state (that is, primary NW Server in the active role and the secondary NW Server in the standby role).

The following diagram illustrates the fail-over and fail-back process.

Set up secondary NW Server as standby (initial setup). This is the normal operating state.
The primary NW Server fails over to the secondary NW Server. After the fail-over, get the primary NW Server back online and set it up in the standby role. This is a temporary operating state.
Fail the secondary NW Server back to the primary. The primary NW Server is back to the active role and secondary is back to the standby role. This is the normal operating state.

IMPORTANT: During a Fail-Over, you must assign the same IP address as the primary NW Server to the secondary NW Server so it can assume the active role.

Procedures

Complete the following task to set up a secondary NW Server in the standby role for fail-over:

Complete the following tasks when required to maintain high availability.

Planned Fail-Over Scenario

This scenario occurs when you schedule a fail over (see Planned Fail-Over under step 3 in the Fail Over primary NW Server to Secondary NW Server procedure). You should not need do anything after the fail-over completes.

Required Fail-Over Scenario without Hardware Replacement

This scenario occurs when the primary NW Server fails (see Required Fail-Over under step 3 in the Fail Over Primary NW Server to Secondary NW Server topic), but you are able to recover it easily without re-imaging (for example, the active NW Server has corrupt or insufficient RAM). You do not need to run the nwsetup-tui and you do not need to contact Customer Support (https://community.rsa.com/docs/DOC-1294) to reestablish correct licensing when:

  1. The active (primary NW Server) fails over to the Standby (secondary NW Server) and that secondary host temporarily assumes the role of the active NW Server.
  2. You fix the problem with the primary NW Server (for example, install new RAM) and fail back to it from the secondary host.

Required Fail-Over Scenario with Hardware Replacement

This scenario occurs when the active NW Server completely fails and the hardware requires replacement, for example you receive a Return Merchandise Authorization (RMA). You need to run reconfigure the host with the nwsetup-tui and contact Customer Support (https://community.rsa.com/docs/DOC-1294) to reestablish licensing. If you choose to rebuild the replacement host as a temporary standby (for example, until your scheduled fail-back occurs), you must answer "Yes" to the Standby Host Recovery Mode nw-setup-tui prompt when configuring this temporary standby for failing back (see step 4 in the Set Up Secondary NW Server in Standby Role procedure for the context of this prompt).

Set Up Secondary NW Server in Standby Role

  1. Before you install a secondary NW Server host for the standby role, make sure that your:
    1. primary NW Server is running 11.3.
    2.  All your component hosts are running 11.3
      If you are:
      • Installing NetWitness Platform 11.3, follow the instructions in the RSA NetWitness Platform Physical Host Installation Guide for Version 11.3or the RSA NetWitness Platform Virtual Host Installation Guide for Version 11.3.
      • Upgrading from 10.6.x to 11.3, follow the instructions in the RSA NetWitness Platform Physical Host Upgrade Guide for Version 10.6.6.x to 11.3 or the RSA NetWitness Platform Virtual Host Installation Guide for Version 11.3
      • Updating from 11.x to 11.3, follow the instructions in RSA NetWitness Platform Update Guide for Version 11.x to 11.3.
        Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.
  2. Create a base image on the secondary NW Server:
    • Attach media (ISO) to the host.
      See the RSA NetWitness Platform Build Stick Instructions for more information.
    • Physical media - use the ISO to create bootable flash drive media the Etcher® or another suitable imaging tool etch an Linux file system on the USB drive. See the RSA NetWitness® PlatformBuild Stick Instructions for information on how to create a build stick from the ISO. Etcher is available at: https://etcher.io.

    • iDRAC installations - the virtual media type is:
      • Virtual Floppy for mapped flash drives.
      • Virtual CD for mapped optical media devices or ISO file.
  3. Log in to the host and reboot it.
  4. Select F11 (boot menu) during reboot to select a boot device and boot to the connected media.
    After some system checks during booting, the following Welcome to RSA NetWitness Platform 11.3 installation menu is displayed. The menu graphics will render differently if you use a physical USB flash media.
  5. Select Install RSA Netwitness Platform 11.3 (default selection) and press Enter.
    The Installation program runs and stops at the Enter (y/Y) to clear drives prompt that asks you to format the drives.
  6. Type Y to continue.
    The default action is No, so if you ignore the prompt and it will select No in 30 seconds and will not clear the drives. The Press enter to reboot prompt is displayed.
  7. Press Enter to reboot the host.
    The Installation program asks you to clear the drives again.
  8. Type N because you already cleared the drives.
    The Enter Q (Quit) or R (Reinstall) prompt is displayed.
  9. Type R to install the base image.
    The installation program displays the components as they are installed, which varies depending on the appliance, and reboots.

    Caution: Do not reboot the attached media (media that contains the ISO file, for example a build stick).

  10. Log in to the host with the root credentials.
  1. Run the nwsetup-tui command.

    Note: 1.) When you navigate through the Setup program prompts, use the down and up arrows to move among fields, use the Tab key to move to and from commands (such as <Yes>, <No>, <OK>, and <Cancel>. Press Enter to register your command response and move to the next prompt.
    2.) The Setup program adopts the color scheme of the desktop or console you use access the host.
    3.) During the Setup program, when you are prompted for the network configuration of the host, be sure to specify the same network configuration that was used for the original installation of 11.x on this host (it must be exactly the same).

    This initiates the nwsetup-tui (Setup program) and the EULA is displayed.

  2. Tab to Accept and press Enter.
    The Is this the host you want for your 11.3 NW Server prompt is displayed.

    Your response to this prompt identifies a host as either the primary or secondary during a fresh install (and the selected response stays constant regardless of the current or future role, that is active or standby of the host).
  3. Tab to Yes and press Enter.
    The Install or Upgrade prompt is displayed.
  4. Tab to 4 Install (Warm Standby) and press Enter.
    The Standby Host Recovery Mode prompt is displayed.

 

  1. Tab to:
    • No and press Enter to set up a secondary NW Server with the standby role (most common scenario).
    • Yes and press Enter to set up a host that was previously used as a primary NW Server with the standby role so you can execute a fail-over and fail-back (less common scenario).

The NW Active Server IP Address prompt is displayed.

  1. Type the IP Address of the NW Server in the active role, tab to OK, and press Enter.
    The Host Name prompt is displayed

    Caution: If you include "." in a host name, the host name must also include a valid domain name.

  2. Press Enter if want to keep this name. If not edit the host name, tab to OK, and press Enter to change it.

    The Master Password prompt is displayed.

    Note: You must use the same Master and Deploy Admin credentials fot the Warm Standby NW Server Host that you used for the Active NW Server Host.

    The following list of characters are supported for Master Password and Deployment Password:

    • Symbols : ! @ # % ^ +
    • Lowercase Characters : a-z
    • Uppercase Characters : A-Z

    No ambiguous characters are supported for Master Password and Deployment Password. For example: space { } [ ] ( ) / \ ' " ` ~ ; : .< > -

  3. Type the Password, down arrow to Verify, retype the password, tab to OK, and press Enter.
    The Deployment Password prompt is displayed.
  4. Type in the Password, down arrow to Verify, retype the password, tab to OK, and press Enter.
    One of the following conditional prompts is displayed.
    • If the Setup program finds a valid IP Address for this host, the following prompt is displayed.

      Press Enter if you want to use this IP and avoid changing your network settings. Tab to Yes and press Enter if you want to change the IP configuration found on the host.
    • If you are using an SSH connection, the following warning is displayed.

      Note: If you connect directly from the host console, the following warning will not be displayed.


      Press Enter to close warning prompt.

    • If the Setup Program found an IP configuration and you chose to use it, the Update Repository prompt is displayed. Go to step 12 to and complete the installation.
    • If the Setup Program did not find an IP configuration or if you chose to change the existing IP configuration, the Network Configuration prompt is displayed.
  5. Tab to OK and press Enter to use Static IP.
    If you want to use DHCP, down arrow to 2 Use DHCP and press Enter.
    The Network Configuration prompt is displayed.
  6. Down arrow to the network interface you want, tab to OK, and press Enter. If you do not want to continue, tab to Exit.
    The following Static IP Configuration prompt is displayed.
  7. Type the configuration values (using the down arrow to move from field to field), tab to OK, and press Enter. If you do not complete all the required fields, an All fields are required error message is displayed (secondary DNS Server and Local Domain Name fields are not required). If you use the wrong syntax or character length for any of the fields, an Invalid <field-name> error message is displayed.

    Caution: If you select DNS Server, make sure that the DNS Server is correct and the host can access it before proceeding with the installation.

    The Update Repository prompt is displayed.

  8. Press Enter to choose the Local Repo on the NW Server.
    If you want to use an external repo, down arrow to External Repo, tab to OK, and press Enter.
    • If you select 1 The Local Repo (on the NW Server) in the Setup program, make sure that you have the appropriate media attached to the host (media that contains the ISO file, for example a build stick) from which it can install NetWitness Platform 11.2.0.0. If the program cannot find the attached media, you receive the following prompt.
    • If you select 2 An External Repo (on an externally-managed server), the UI prompts you for a URL. The repositories give you access to RSA updates and CentOS updates. Refer to "Appendix B. Create an External Repo" in the Physical Host Installation Guide for RSA NetWitness Platform 11.3  for instructions on how to create this repo and its external repo URL so you can enter it in the following prompt.

      Enter the base URL of the NetWitness Platform external repo and click OK. The Start Install prompt is displayed.
      See "Set Up an External Repository with RSA and OS Updates" under "Hosts and Services Procedures" in the RSA NetWitness Platform Hosts and Services Getting Started Guide for instructions. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.
      The Disable firewall prompt is displayed.
  9. Tab to No (default), and press Enter to use the standard firewall configuration. Tab to Yes, and press Enter to disable the standard firewall configuration.
    If you select Yes, confirm your selection(select Yes again) or select No to use the standard firewall configuration.

    The Start Install/Upgrade prompt is displayed.
  10. Press Enter to install 11.3 on the NW Server.
    When Installation complete is displayed, you have installed the 11.3 NW Server on this host.

    Note: Ignore the hash code errors similar to the errors shown in the following figure that are displayed when you initiate the nwsetup-tui command. Yum does not use MD5 for any security operations so they do not affect the system security.

  11. License the secondary NW Server.
    1. Log in to the secondary NW Server User Interface, click ADMIN > System > Info, and note the License Server ID under Version Information.

    2. SSH to the primary NW Server.
    1. Edit the /opt/netwitness/flexnetls/local-configuration.yaml file and add the back up hostid (that is, the License Server ID ).
      This is an example of the section of the local-configuration.yaml file before you add the License Server ID.
      # Hostid of the backup server, if in fail over configuration.
      #backup-hostid:

      This is an example of the section of the local-configuration.yaml file after you add the MAC address (for example, 000c2918c80d) of the Warm Standby NW Server Host.
      # Hostid of the backup server, if in fail over configuration.
      backup-hostid: "000c2918c80d"
    1. Restart the fneserver service.
      systemctl restart flexnetls-RSALM
    1. (Conditional) If your NetWitness Platform deployment is prohibited from accessing the Internet (Air Gap), you must:
      1. Download the capability request from NetWitness Platform User Interface.
      2. Upload the request to FNO.
      3. Upload the response from FNO to the NetWitness Platform User Interface.
  12. Schedule the backup of the primary NW Server and the copying of this backed-up data to the secondary NW Server.
    1. SSH to the primary NW Server.
    2. Submit the following commands.
      /opt/rsa/saTools/bin/schedule-standby-admin-data-sync -di <warm-standby-admin-server-ip>
      This backs up the primary NW Server data and copies the backup archive file to the secondary NW Server daily for future fail-over use. It also schedules the backup and copy to execute on a daily basis. You can display help for the schedule-standby-admin-data-sync script with the following command string.
      /opt/rsa/saTools/bin/schedule-standby-admin-data-sync –-help
      This returns the following help to which you can refer to customize the host data backup (such as backup frequency).
      Schedule Data Synch between AdminServer and Standby AdminServer
      Script also executes a synchronization each time.

      Usage:
      schedule-standby-admin-data-sync command [options]

      Commands:
      -h, --help                       Display Help
      -d, --daily                      Schedule daily data synchronization
      -w, --weekly                      Schedule weekly data synchronization
      -c, --custom <crontab formatted> Schedule custom data synchronization
                                      i.e. to schedule for midnight on 1st
                      ‑                and 10th of the month: '0 0 1,10 * *'
      -i, --standby-ip <ip address>    IP address of standby Admin Server
      -v, --verbose                    Enable verbose output

Fail Over Primary NW Server to Secondary NW Server

Initially, the primary NW Server fails over to the secondary NW Server. A subsequent fail-over that is the secondary NW Server to the primary NW Server and that is referred to as a fail-back. Complete the following procedure to fail over from the primary NW Server to the secondary NW Server.

  1. SSH to the secondary NW Server.
  2.  Run the nw-failover script with the appropriate arguments. For example:
    nw-failover --make-active --ip-address <active-nw-server-host-ip> --name <primary-nw-server-hostname>
    After the script completes, the following message is displayed.
    *** Please update network ip and reboot host to complete the fail over process ***
  3.  Update the CentOS network configuration to swap IP Addresses.
    • Planned Fail-Over - primary NW Server did not fail:
      1. SSH to the primary NW Server.
      2. Assign an unused IP Address to the primary NW Server.
      3. Run the fail-over script with the appropriate arguments to assign the standby role to the primary NW Server. For example:
        nw-failover --make-standby --ip-address <unused-ip-or-previous-standby-ip> --name <previous-standby-nw-server-hostname>
      4. Shut down the primary NW Server.
      5. SSH to the secondary NW Server.
      6. Assign the IP Address of the primary NW Server that you recorded to the secondary NW Server.
    • Required Fail-Over - primary NW Server failed:
      1. SSH to the secondary NW Server.
      2. Assign the IP address of the primary NW Server to the secondary NW Server.

        Note: If you have a catastrophic failure, you may need to provision a new host or re-image the primary NW Server and complete the Set Up secondary NW Server in Standby Role procedure for this host to create a new primary NW Server so you can fail back to it.

  4.  Reboot the host.
  5. Make sure that the fail-over is set up correctly.
    1. SSH to the Standby NW Server.
    2. Make sure that the Active NW Server:
      1. Can resolve its uuid (Universal Unique Identifier).
        source /usr/lib/netwitness/bootstrap/resources/nwcommon 2>/dev/null > /dev/null
        nslookup $(getNodeID)
        nslookup
        should return the current Active NW Server IP address.
      2. Matches the same IP address that was resolved in the previous step

Fail Back Secondary NW Server to Primary NW Server

After a fail-over from the primary NW Server to the secondary NW Server, you need to fail back to your original setup of the primary NW Server in the active role and the secondary NW Server in the standby role.

Essentially, you follow the same steps described under Fail Over Primary NW Server to Secondary NW Server to fail back to your original setup (that is primary NW Server-active and secondary NW Server-standby). The difference is that you now need to fail over from the secondary NW Server to the primary NW Server.

 

Previous Topic:The Basics
You are here

Table of Contents > Deployment Options

Attachments

    Outcomes