Azure 10.6.6.x to 11.3 Upgrade: Preparation Tasks

Document created by RSA Information Design and Development Employee on Apr 12, 2019Last modified by RSA Information Design and Development Employee on Sep 26, 2019
Version 7Show Document
  • View in full screen mode

Complete the following tasks to prepare for the upgrade to NetWitness Platform These tasks are organized by the following categories.

Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.


Task 1 - Review Core Ports and Open Firewall Ports

The following tables list new ports in

Caution: Make sure that the new ports are implemented and tested before upgrading so that upgrade does not fail due to missing ports.

NW Server Host


Source Host

Destination Host

Destination Ports


NW HostsNW ServerTCP 4505, 4506 Salt Master Ports
NW HostsNW ServerTCP 27017 MongoDB

Admin Workstation

NW Server

TCP 15671

RabbitMQ Management UI

NW Hosts

NW Server

TCP 15671

RabbitMQ Management UI

ESA Host


Source Host

Destination Host

Destination Ports


NW Server,
NW Endpoint,
ESA Secondary
ESA Primary TCP 27017 MongoDB

Endpoint Log Hybrid


Source Host

Destination Host

Destination Ports


Endpoint Log Hybrid

NW Server

TCP 5672

Message Bus

Endpoint Server NW ServerTCP 27017MongoDB

All NetWitness Platform core ports are listed in the "Network Architecture and Ports" topic in the Deployment Guide in case you need to reconfigure NetWitness Platform services and firewalls.

Task 2 - Record Your 10.6.6.x admin user Password

Record your 10.6.6.x admin user password. You will need it to complete the upgrade.

Task 3 - Create a Backup of the /etc/fstab File

Copy the /etc/fstab file from all the physical hosts and into your local machine (backup host or remote machine).

Note: You need this file to restore a physical host with external storage mounts.

Task 4 - Make Sure Password Strength Settings Check Boxes Are Set in 10.6.6.x

Note: You can skip this task if you do not want to migrate the password strength setting to

The check box to the left of the Password Strength Settings in the Administration > Security > Settings tab must be set in 10.6.6.x or these settings will not be migrated to

If you do not require a setting (for example, Non-Latin Alphabetic Characters) in your password for, you do not need to check this box. The Minimum Password Length is 3 or larger in version 10.6.6.x and 4 in version This means that if you set the Minimum Password Length to 3 (default) in 10.6.6.x, you must set it 4 or larger for

Complete the following task to make sure that the Password Strength Settings check boxes are set in 10.6.6.x.

  1. In Security Analytics 10.6.6.x, go to the Administration > Security > Settings tab.
  2. Make sure that the required check boxes to the left of the Password Strength Settings are set and click Apply.
    The following example shows the required check boxes as set (required in 10.6.6.x before upgrading to

Task 5 (Conditional) - Extract 10.6.x Public Key Infrastructure (PKI) Certificates

Before you upgrade to from 10.6.6.x to, complete the following procedure to extract the existing 10.6.x PKI keystores that contain server certificates with private keys, and the truststores that contain the trusted CA certificates.

  1. Download the file from RSA Link > RSA NetWitness Platform > Downloads > RSA NetWitness LOGS & NETWORK > Version
  2. Extract the pki-migration-1.0.jar file from the file.
  3. SSH to the 10.6.6.x Security Analytics Server host and log in with the root credentials.
  4. Copy the pki-migration-1.0.jar file into /tmp folder.
  5. Run the following command strings to extract the certificates.
    cd /tmp
    java -jar pki-migration-1.0.jar
    This :
    • Creates the rsa-pki-migration-tool-<yyyy-MM-dd-hh-mm> directory under the tmp directory.
    • Extracts output files into the /tmp/rsa-pki-migration-<yyyy-MM-dd-hh-mm> directory.
    • Creates a keystore (for example, <keystore-x>.p12) for each server certificate.
      The keystore is encrypted with netwitness as the password.
    • Creates a certificate file (for example, <certificate-X>.cer) for each trusted CA certificate in truststore.

      Note: Refer to the line in the console output to find the storage location of the
                    •  server certificate (<keystore-X>.p12). For Example:
                    •  trusted CA certificate (<certificate-x>.cer). For example
      This process does not modify the original keystores and trusted CA certificates of 10.6.6.x. You can run these steps multiple times, if required.

  6. Open any keystore and display its contents to verify that the extracted keystores and the trusted CA certificates are correct.
    cd rsa-pki-migration-tool-<yyyy-MM-dd-hh-mm>
    ls –ltrh
    Openssl x509 -in <certificate-X>.cer -inform DER
    The certificate in displayed in PEM (Base64) format. For example:

    keytool -list -keystore <keystore-X>.p12 -storetype PKCS12 – storepass netwitness

    The following is an example of the output.
    Keystore type: PKCS12
    Keystore provider: <XXXXX>
  7. Exit the keystore.

You can use:

  • One of the .p12 keystore files as a server certificate. Refer to the command output to find .p12 file that corresponds to the server certificate you must use.
  • The extracted certificate files (.cer) as trusted CA certificates.

For instructions on how to configure PKI authentication, see the “System Security and User Management Guide”.

Event Stream Analysis (ESA)

Task 6 - Record Any String Array Type Meta Keys on the Event Stream Analysis Service

Record any string array type meta keys in the ArrayFieldNames parameter on the Event Stream Analysis service.

  1. In Security Analytics 10.6.6.x, go Administration > Services.
  2. In the Services view, select an Event Stream Analysis service and then select Actions icon > View > Explore
  3. In the Explore view node list, select Workflow > Source > netgenAggregationSource.
  4. In the ArrayFieldNames parameter field, make a note of the string array type meta keys listed so you can verify that they are on the ESA Correlation service after the upgrade.


Task 7 - Check Aggregation Rules Match Conditions for “Domain” or “Domain for Suspected C&C”

Make a note of any Incident Management aggregation rules that have match conditions using Domain or Domain for Suspected C&C in the drop-down list in the rule builder. You will need to add back these conditions after you upgrade to as described in the "Respond" Post Upgrade Tasks later in this document.

Complete the task for each aggregation rule.

  1. In Security Analytics 10.6.6.x, go to Incidents > Configure > Aggregation Rules tab and edit the rules to view the matching conditions.
  2. In the Match Conditions section, look for Domain or Domain for Suspected C&C listed in the drop-down lists for the conditions.

  3. Make a note of the rule name and the entire condition that uses Domain or Domain for Suspected C&C, including operators and values.

Task 8 - Set Data Retention Run Interval to ≥ 24 Hours

In Security Analytics 10.6.6.x, the Data Retention run interval does not have any minimum value check. In, RSA added a validation check to make sure that it is run at least every 24 hours. When you upgrade to, if this value is less than 24 hours, the Respond service will not start.

Complete the following task to ensure that the Respond service starts after upgrading to

  1. In Security Analytics 10.6.6.x, go to ADMIN > Services.
  2. Select the Incident Management service, and then select > View > Explore.
  3. In the Incident Management Explore view, go to Service > Configuration > dataRetentionConfiguration.

  4. Make sure that the FrequencyInHours parameter is ≥ 24.

Reporting Engine

(Conditional) Task 9 - Unlink External Storage

If the Reporting Engine has external storage, such as Storage Area Network (SAN) or Network Attached Storage (NAS) for storing reports, complete the following task to unlink the storage.

Note: In these steps:
/home/rsasoc/rsa/soc/reporting-engine/ is the Reporting Engine home directory.
/externalStorage/ is where the external storage is mounted.

  1. SSH to the Reporting Engine host and log in with your root credentials.
  2. Stop the Reporting Engine service.
    stop rsasoc_re
  3. Switch to rsasoc user.
    su rsasoc
  4. Change to the Reporting Engine the home directory.
    cd /home/rsasoc/rsa/soc/reporting-engine/
  5. Unlink the resultstore directory mounted to external storage.
    unlink /externalStorage/resultstore
  6. Unlink the formattedReports directory mounted to external storage.
    unlink /externalStorage/formattedReports

Warehouse Connector

(Conditional) Task 10 - Copy keytab files in root or etc Directory Stored in Other Directory

Complete the following task to copy the keytab files in the root or etc directory if it is stored in another directory.

  1. Record the absolute path of NFS mount directory and the keytab file.
    You need this information to restore the Warehouse Connector after upgrade.
  2. Unmount the NFS directory.
    1. SSH to the Warehouse Connector and log in with root credentials.
    2. Submit the following command to unmount the NFS directory.
      umount <NFS-absolute-path>

Previous Topic:Introduction
You are here
Table of Contents > Upgrade Preparation Tasks