000037760 - ConsoleServer Service will not start after system has been recovered from Backup in RSA NetWitness Endpoint

Document created by RSA Customer Support Employee on Aug 6, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037760
Applies ToRSA Product Set: NetWitness Endpoint
RSA Product/Service Type: NetWitness Endpoint
RSA Version/Condition: 4.4.x.x
Platform: Windows
IssueThe NW Endpoint Product has been moved to another system or disaster recovery restore.
When starting the Console Server the following exception is thrown.

[6] System.ComponentModel.Win32Exception:
Error 1312 at HttpSetServiceConfiguration
   at a.b.Xᝅ.ᜀ(X509Store A_0, X509Certificate A_1, IPAddress A_2, Int32 A_3, Boolean A_4)
   at a.b.X᝘..ctor(String A_0, String[] A_1, String A_2, String A_3, CancellationToken A_4, Int32 A_5)
   at a.b.Xᝄ..ctor(Boolean A_0, String[] A_1, String A_2, String A_3, CancellationToken A_4, Int32 A_5)
   at EConsole.Server.ServerLogic.CreateHttp(Int32 httpsPort, String serverCertSubject, String clientCertSubject)
   at a.b.X᝝.ᜄ()
[6] System.ComponentModel.Win32Exception:
A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)

CauseThe most likely cause of this issue is that Certificates were not imported. ConsoleServer.exe.config file does not have the correct hash(thumbprint) of the NWEServer certificate (EcatServerExported if the certificate is older) or the certificates were not imported correctly.
ResolutionFirst step is to open up the Microsoft Management Console. ( See the 4.4 Install Guide under  Subheading Installation -> Step 4  (Optional) Export Primary Server Certificates on page 59). 
To note: Keep this file open because we will be using this guide for additional troubleshooting.

Once the MMC Certificates is open, expend Certificates -> Personal -> Certificates panel -> double click the NweServerCertificate -> Details -> scroll down to Thumbprint section.  

Open the <Drive>\Program Files\RSA\ECAT\Server\ConsoleServer.exe.config file with notepad or another text editor.
Search for string "LocalHttpsServerCertHash" compare the thumbprint with the NweServerCertificate thumbprint. they should be the same.
(The letters will be uppercase in the ConsoleServer.exe.config file)
Search again further in the file for string <serviceCertificate storeLocation, (example below:)

findValue="0xAF1EB0193A038A3E15123E8EA1E7D092ABA2D73F" storeName="My"/>
                        <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="EConsole.Server.Rest.EcatUserNamePassValidator, ConsoleServer"/>

If the certhash is different, make a back-up copy of the ConsoleServer.exe.config file, stop the API service.
Edit the two certhash entries to match the thumbprint of the Server certificate (as displayed in the details tab)
(Use upper case letters, for the first line, do not prefix the "0x" for the first entry.)
Start the API and Console Server service.  

If the ConsoleServer service should fail again;
Stop the API service
Follow the directions as stated in the 4. User Guide on pages 59 to 73  make sure you export the private key and select .pfx file format.
After certificates have been imported, start the ConsoleServer service and API service.