Complete the following tasks to prepare for the upgrade to NetWitness Platform 11.4. These tasks are organized by the following categories.
- General
- Event Stream Analysis (ESA)
- Reporting Engine
- Respond
- Warehouse Connector
-
Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents.
General
Task 1 - Review Core Ports and Open Firewall Ports
The following tables list new ports in 11.4.
Caution: Make sure that the new ports are implemented and tested before upgrading so that upgrade does not fail due to missing ports.
NW Server Host
Source Host | Destination Host | Destination Ports | Comments |
---|---|---|---|
NW Hosts | NW Server | TCP 4505, 4506 | Salt Master Ports |
NW Hosts | NW Server | TCP 27017 | MongoDB |
Admin Workstation | NW Server | TCP 15671 | RabbitMQ Management UI |
NW Hosts | NW Server | TCP 15671 | RabbitMQ Management UI |
ESA Host
Source Host | Destination Host | Destination Ports | Comments |
---|---|---|---|
NW Server, NW Endpoint, ESA Secondary | ESA Primary | TCP 27017 | MongoDB |
Endpoint Log Hybrid
Source Host | Destination Host | Destination Ports | Comments |
---|---|---|---|
Endpoint Log Hybrid | NW Server | TCP 5672 | Message Bus |
Endpoint Server | NW Server | TCP 27017 | MongoDB |
All NetWitness Platform core ports are listed in the "Network Architecture and Ports" topic in the Deployment Guide in case you need to reconfigure NetWitness Platform services and firewalls.
Task 2 - Record Your 10.6.6.x admin user Password
Record your 10.6.6.x admin user password. You will need it to complete the upgrade.
Task 3 - Create a Backup of the /etc/fstab File
Copy the /etc/fstab file from all the physical hosts and into your local machine (backup host or remote machine).
Note: You need this file to restore a physical host with external storage mounts.
Task 4 - Make Sure Password Strength Settings Check Boxes Are Set in 10.6.6.x
The check box to the left of the Password Strength Settings in the Administration > Security > Settings tab must be set in 10.6.6.x or these settings will not be migrated to 11.4.
Complete the following task to make sure that the Password Strength Settings check boxes are set in 10.6.6.x.
- In Security Analytics 10.6.6.x, go to the Administration > Security > Settings tab.
- Make sure that all of the check boxes to the left of the Password Strength Settings are set. If they are not, set them and click Apply.
The following example shows all check boxes as set (required in 10.6.6.x before upgrading to 11.4).
Task 5 (Conditional) - Extract 10.6.x Public Key Infrastructure (PKI) Certificates
Before you upgrade to from 10.6.6.x to 11.4, complete the following procedure to extract the existing 10.6.x PKI keystores that contain server certificates with private keys, and the truststores that contain the trusted CA certificates.
- Download the rsa-nw-pki-migration-10.6.6.zip file from RSA Link > RSA NetWitness Platform > Downloads > RSA NetWitness LOGS & NETWORK > Version 11.4.
- Extract the pki-migration-1.0.jar file from the rsa-nw-pki-migration-10.6.6.zip file.
- SSH to the 10.6.6.x Security Analytics Server host and log in with the root credentials.
- Copy the pki-migration-1.0.jar file into /tmp folder.
- Run the following command strings to extract the certificates.
cd /tmp
java -jar pki-migration-1.0.jar
extract
This :- Creates the rsa-pki-migration-tool-<yyyy-MM-dd-hh-mm> directory under the tmp directory.
- Extracts output files into the /tmp/rsa-pki-migration-<yyyy-MM-dd-hh-mm> directory.
- Creates a keystore (for example, <keystore-x>.p12) for each server certificate.
The keystore is encrypted with netwitness as the password. - Creates a certificate file (for example, <certificate-X>.cer) for each trusted CA certificate in truststore.
Note: Refer to the line in the console output to find the storage location of the
• server certificate (<keystore-X>.p12). For Example:
• trusted CA certificate (<certificate-x>.cer). For example
This process does not modify the original keystores and trusted CA certificates of 10.6.6.x. You can run these steps multiple times, if required.
- Open any keystore and display its contents to verify that the extracted keystores and the trusted CA certificates are correct.
cd rsa-pki-migration-tool-<yyyy-MM-dd-hh-mm>
ls –ltrh
Openssl x509 -in <certificate-X>.cer -inform DER
The certificate in displayed in PEM (Base64) format. For example:
keytool -list -keystore <keystore-X>.p12 -storetype PKCS12 – storepass netwitness
The following is an example of the output.
Keystore type: PKCS12
Keystore provider: <XXXXX> - Exit the keystore.
exit
You can use:
- One of the .p12 keystore files as a server certificate. Refer to the command output to find .p12 file that corresponds to the server certificate you must use.
- The extracted certificate files (.cer) as trusted CA certificates.
For instructions on how to configure PKI authentication, see the “System Security and User Management Guide”.
Event Stream Analysis (ESA)
Task 6 (Conditional) - Record Any String Array Type Meta Keys on the Event Stream Analysis Service
If you added any string array type meta keys to the Event Stream Analysis service for your ESA correlation rules in 10.6.6.x or earlier, record these meta keys so you can verify that they exist after upgrade to 11.4.
To record your 10.6.6.x string array type meta keys before the 11.4 upgrade:
- In Security Analytics 10.6.6.x:
- In the Explore view node list, select Workflow > Source > netgenAggregationSource.
- In the ArrayFieldNames list, make a note of any string array type meta keys added to the Event Stream Analysis service so you can verify that they are on the ESA Correlation service after the upgrade.
Respond
Task 7 - Check Aggregation Rules Match Conditions for “Domain” or “Domain for Suspected C&C”
Make a note of any Incident Management aggregation rules that have match conditions using Domain or Domain for Suspected C&C in the drop-down list in the rule builder. You will need to add back these conditions after you upgrade to 11.4 as described in the "Respond" Post Upgrade Tasks later in this document.
Complete the task for each aggregation rule.
- In Security Analytics 10.6.6.x, go to Incidents > Configure > Aggregation Rules tab and edit the rules to view the matching conditions.
- In the Match Conditions section, look for Domain or Domain for Suspected C&C listed in the drop-down lists for the conditions.
- Make a note of the rule name and the entire condition that uses Domain or Domain for Suspected C&C, including operators and values.
Task 8 - Set Data Retention Run Interval to ≥ 24 Hours
In Security Analytics 10.6.6.x, the Data Retention run interval does not have any minimum value check. In 11.3, RSA added a validation check to make sure that it is run at least every 24 hours. When you upgrade to 11.3 and later, if this value is less than 24 hours, the Respond service will not start.
Complete the following task to ensure that the Respond service starts after upgrading to 11.4.
- In Security Analytics 10.6.6.x, go to ADMIN > Services.
- Select the Incident Management service, and then select
> View > Explore.
-
In the Incident Management Explore view, go to Service > Configuration > dataRetentionConfiguration.
- Make sure that the FrequencyInHours parameter is ≥ 24.
Reporting Engine
(Conditional) Task 9 - Unlink External Storage
If the Reporting Engine has external storage, such as Storage Area Network (SAN) or Network Attached Storage (NAS) for storing reports, complete the following task to unlink the storage.
Note: In these steps:
/home/rsasoc/rsa/soc/reporting-engine/ is the Reporting Engine home directory.
/externalStorage/ is where the external storage is mounted.
- SSH to the Reporting Engine host and log in with your root credentials.
- Stop the Reporting Engine service.
stop rsasoc_re - Switch to rsasoc user.
su rsasoc - Change to the Reporting Engine the home directory.
cd /home/rsasoc/rsa/soc/reporting-engine/ - Unlink the resultstore directory mounted to external storage.
unlink /externalStorage/resultstore - Unlink the formattedReports directory mounted to external storage.
unlink /externalStorage/formattedReports
Warehouse Connector
(Conditional) Task 10 - Copy keytab files in root or etc Directory Stored in Other Directory
Complete the following task to copy the keytab files in the root or etc directory if it is stored in another directory.
- Record the absolute path of NFS mount directory and the keytab file.
You need this information to restore the Warehouse Connector after upgrade. - Unmount the NFS directory.
- SSH to the Warehouse Connector and log in with root credentials.
- Submit the following command to unmount the NFS directory.
umount <NFS-absolute-path>