AWS Upgrade: Upgrade Preparation Tasks

Document created by RSA Information Design and Development Employee on Apr 12, 2019Last modified by RSA Information Design and Development Employee on Jul 20, 2020
Version 12Show Document
  • View in full screen mode

Complete the following tasks to prepare for the upgrade to NetWitness Platform 11.4. These tasks are organized by the following categories.


Task 1 - Review Core Ports and Open Firewall Ports

The following tables list new ports in 11.4.

Caution: Make sure that the new ports are implemented and tested before upgrading so that upgrade does not fail due to missing ports.

NW Server Host


Source Host

Destination Host

Destination Ports


NW HostsNW ServerTCP 4505, 4506 Salt Master Ports
NW HostsNW ServerTCP 27017 MongoDB

Admin Workstation

NW Server

TCP 15671

RabbitMQ Management UI

NW Hosts

NW Server

TCP 15671

RabbitMQ Management UI

ESA Host


Source Host

Destination Host

Destination Ports


NW Server,
NW Endpoint,
ESA Secondary
ESA Primary TCP 27017 MongoDB

Endpoint Log Hybrid


Source Host

Destination Host

Destination Ports


Endpoint Log Hybrid

NW Server

TCP 5672

Message Bus

Endpoint Server NW ServerTCP 27017MongoDB

All NetWitness Platform core ports are listed in the "Network Architecture and Ports" topic in the Deployment Guide in case you need to reconfigure NetWitness Platform services and firewalls.

Task 2 - Record Your 10.6.6.x admin user Password

Record your 10.6.6.x admin user password. You will need it to complete the upgrade.

Task 3 - Create a Backup of the /etc/fstab File

Copy the /etc/fstab file from all the physical hosts and into your local machine (backup host or remote machine).

Note: You need this file to restore a physical host with external storage mounts.

Task 4 - Make Sure Password Strength Settings Check Boxes Are Set in 10.6.6.x

The check box to the left of the Password Strength Settings in the Administration > Security > Settings tab must be set in 10.6.6.x or these settings will not be migrated to 11.4.

Complete the following task to make sure that the Password Strength Settings check boxes are set in 10.6.6.x.

  1. In Security Analytics 10.6.6.x, go to the Administration > Security > Settings tab.
  2. Make sure that all of the check boxes to the left of the Password Strength Settings are set. If they are not, set them and click Apply.
    The following example shows all check boxes as set (required in 10.6.6.x before upgrading to 11.4).

Task 5 (Conditional) - Extract 10.6.x Public Key Infrastructure (PKI) Certificates

Before you upgrade to from 10.6.6.x to 11.4, complete the following procedure to extract the existing 10.6.x PKI keystores that contain server certificates with private keys, and the truststores that contain the trusted CA certificates.

  1. Download the file from RSA Link > RSA NetWitness Platform > Downloads > RSA NetWitness LOGS & NETWORK > Version 11.4.
  2. Extract the pki-migration-1.0.jar file from the file.
  3. SSH to the 10.6.6.x Security Analytics Server host and log in with the root credentials.
  4. Copy the pki-migration-1.0.jar file into /tmp folder.
  5. Run the following command strings to extract the certificates.
    cd /tmp
    java -jar pki-migration-1.0.jar
    This :
    • Creates the rsa-pki-migration-tool-<yyyy-MM-dd-hh-mm> directory under the tmp directory.
    • Extracts output files into the /tmp/rsa-pki-migration-<yyyy-MM-dd-hh-mm> directory.
    • Creates a keystore (for example, <keystore-x>.p12) for each server certificate.
      The keystore is encrypted with netwitness as the password.
    • Creates a certificate file (for example, <certificate-X>.cer) for each trusted CA certificate in truststore.

      Note: Refer to the line in the console output to find the storage location of the
                    •  server certificate (<keystore-X>.p12). For Example:
                    •  trusted CA certificate (<certificate-x>.cer). For example
      This process does not modify the original keystores and trusted CA certificates of 10.6.6.x. You can run these steps multiple times, if required.

  6. Open any keystore and display its contents to verify that the extracted keystores and the trusted CA certificates are correct.
    cd rsa-pki-migration-tool-<yyyy-MM-dd-hh-mm>
    ls –ltrh
    Openssl x509 -in <certificate-X>.cer -inform DER
    The certificate in displayed in PEM (Base64) format. For example:

    keytool -list -keystore <keystore-X>.p12 -storetype PKCS12 – storepass netwitness

    The following is an example of the output.
    Keystore type: PKCS12
    Keystore provider: <XXXXX>
  7. Exit the keystore.

You can use:

  • One of the .p12 keystore files as a server certificate. Refer to the command output to find .p12 file that corresponds to the server certificate you must use.
  • The extracted certificate files (.cer) as trusted CA certificates.

For instructions on how to configure PKI authentication, see the “System Security and User Management Guide”.

Event Stream Analysis (ESA)

Task 6 (Conditional) - Record Any String Array Type Meta Keys on the Event Stream Analysis Service

If you added any string array type meta keys to the Event Stream Analysis service for your ESA correlation rules in 10.6.6.x or earlier, record these meta keys so you can verify that they exist after upgrade to 11.4.

To record your 10.6.6.x string array type meta keys before the 11.4 upgrade:

  1. In Security Analytics 10.6.6.x:
    1. Go to the Administration > Services view.
    2. Select the Event Stream Analysis service.
    3. Click (actions) > View > Explore.
  2. In the Explore view node list, select Workflow > Source > netgenAggregationSource.
  3. In the ArrayFieldNames list, make a note of any string array type meta keys added to the Event Stream Analysis service so you can verify that they are on the ESA Correlation service after the upgrade.


Task 7 - Check Aggregation Rules Match Conditions for “Domain” or “Domain for Suspected C&C”

Make a note of any Incident Management aggregation rules that have match conditions using Domain or Domain for Suspected C&C in the drop-down list in the rule builder. You will need to add back these conditions after you upgrade to 11.4 as described in the "Respond" Post Upgrade Tasks later in this document.

Complete the task for each aggregation rule.

  1. In Security Analytics 10.6.6.x, go to Incidents > Configure > Aggregation Rules tab and edit the rules to view the matching conditions.
  2. In the Match Conditions section, look for Domain or Domain for Suspected C&C listed in the drop-down lists for the conditions.

  3. Make a note of the rule name and the entire condition that uses Domain or Domain for Suspected C&C, including operators and values.

Task 8 - Set Data Retention Run Interval to ≥ 24 Hours

In Security Analytics 10.6.6.x, the Data Retention run interval does not have any minimum value check. In 11.3, RSA added a validation check to make sure that it is run at least every 24 hours. When you upgrade to 11.3 and later, if this value is less than 24 hours, the Respond service will not start.

Complete the following task to ensure that the Respond service starts after upgrading to 11.4.

  1. In Security Analytics 10.6.6.x, go to ADMIN > Services.
  2. Select the Incident Management service, and then select > View > Explore.
  3. In the Incident Management Explore view, go to Service > Configuration > dataRetentionConfiguration.

  4. Make sure that the FrequencyInHours parameter is ≥ 24.

Reporting Engine

(Conditional) Task 9 - Unlink External Storage

If the Reporting Engine has external storage, such as Storage Area Network (SAN) or Network Attached Storage (NAS) for storing reports, complete the following task to unlink the storage.

Note: In these steps:
/home/rsasoc/rsa/soc/reporting-engine/ is the Reporting Engine home directory.
/externalStorage/ is where the external storage is mounted.

  1. SSH to the Reporting Engine host and log in with your root credentials.
  2. Stop the Reporting Engine service.
    stop rsasoc_re
  3. Switch to rsasoc user.
    su rsasoc
  4. Change to the Reporting Engine the home directory.
    cd /home/rsasoc/rsa/soc/reporting-engine/
  5. Unlink the resultstore directory mounted to external storage.
    unlink /externalStorage/resultstore
  6. Unlink the formattedReports directory mounted to external storage.
    unlink /externalStorage/formattedReports

Warehouse Connector

(Conditional) Task 10 - Copy keytab files in root or etc Directory Stored in Other Directory

Complete the following task to copy the keytab files in the root or etc directory if it is stored in another directory.

  1. Record the absolute path of NFS mount directory and the keytab file.
    You need this information to restore the Warehouse Connector after upgrade.
  2. Unmount the NFS directory.
    1. SSH to the Warehouse Connector and log in with root credentials.
    2. Submit the following command to unmount the NFS directory.
      umount <NFS-absolute-path>

Other Tasks

Previous Topic:Introduction
You are here
Table of Contents > Upgrade Preparation Tasks