000037999 - Reissuing security certificates on RSA NetWitness Platform 10.6.x

Document created by RSA Customer Support Employee on Sep 26, 2019Last modified by RSA Customer Support Employee on May 13, 2020
Version 34Show Document
  • View in full screen mode

Article Content

Article Number000037999
Applies ToRSA Product Set: NetWitness Platform
RSA Product/Service Type: All Appliances
RSA Version/Condition: 10.6.x
Platform: CentOS
O/S Version: 6
IssueCustomers on version 10.6.x or earlier of the RSA NetWitness Platform may have internal platform-issued security certificates that are about to expire or are already expired.
Tasks

To view the article in a demo format for more insights please click the below link, Reissuing Security Certificates on RSA NetWitness - EduTube Video


The following document describes the steps RSA NetWitness Platform 10.6.x customers need to follow to renew Certificate Authority (CA) certificates that are about to expire or have already expired. After successfully running the certificate renewal script mentioned below, the certificate will be renewed for ten years on all hosts.

Do not use this procedure if your 10.6.x environment is STIG-enabled. Contact RSA Customer Support for assistance.



Prerequisites



  1. To initiate the certificate renewal process, download the latest RSA NetWitness Platform 11.x Backup Script (currently nw-backup-v4.5.zip) from RSA NetWitness Platform 10.6.6.x to 11.0, 11.1, 11.2 or 11.3 Backup Scripts on RSA Link.

The nw-backup-v4.5.zip will be used throughout this document. Always use the latest version from the link provided above.



  1. Once the nw-backup-v4.5.zip is downloaded:

    1. SSH into the Security Analytics Server (UI Server).
    2. Create a directory in /root to contain the contents of the zip file by running the following command:


# mkdir /root/certreissue


  1. Secure Copy (SCP) the nw-backup-v4.5.zip file to the /root directory and extract its contents. Run the following command to unpack the zip file once copied:


# unzip nw-backup-v4.5.zip -d certreissue


  1. The contents of the zip file in the /root/certreissue directory should look like the following:

  • get-all-systems.sh
  • ssh-propagate.sh
  • ca-expiry-test.sh
  • nw-backup.sh
  • 10-6-cert-renewal.sh
  • wlc-cert-renew-10.6.sh

  1. Change directories to /root/certreissue to continue the rest of the procedure.


# cd /root/certreissue


  1. Change the permission of all the scripts to allow them to be executed by running the following command within the certreissue directory:


# chmod +x *.sh


  1. Check the validity of the current certificates by running the following command on the Security Analytics Server (UI Server):


# ./ca-expiry-test.sh --version <NetWitness Major Version.x>

For Example:
# ./ca-expiry-test.sh --version 10.x



  • If the certificates have not expired go to Scenario 1 under Procedure.
  • If the certificates have expired, go to Scenario 2 under Procedure.
  • If the Windows Legacy Collector (WLC) certificates need to be renewed, go to Renew certificates that have or have not yet expired for Windows Legacy Collector (WLC) hosts later in this document.

 



Procedure



Scenario 1: Renew the certificates which have not yet expired. (All 10.6.x hosts except the Windows Legacy Collector)



  1. SSH to the Security Analytics Server (UI Server).
  2. Get all details about the NetWitness hosts by running the following command.


./get-all-systems.sh <IP address of SA Server (UI Server)>

For Example:
# ./get-all-systems.sh 192.168.1.20


  1. Run the following command on the Security Analytics server (UI Server) to propagate SSH keys to the other NetWitness servers. This is to help streamline the communications for the rest of the procedure.

The root (OS) password for each host will be prompted for and must be entered manually.




# ./ssh-propagate.sh /var/netwitness/database/nw-backup/all-systems


  1. Renew the certificates for the Security Analytics Server (UI Server) by running the following command on the UI server itself:


# ./10-6-cert-renewal.sh


It can take 1 to 30 minutes to complete the renewal process. During this time, it may look like the script has stopped functioning. Please be patient.



  1. After the certificate is renewed, reboot the Security Analytics Server (UI Server).
  2. Once the Security Analytics server is back up, renew the certificates for all the other hosts. Run the following command on the Security Analytics server once more to update the remaining devices.


# ./10-6-cert-renewal.sh


It can take one to 30 minutes to complete the renewal process. During this time, it may look like the script has stopped functioning. Please be patient.



  1. After the certificates for all the other hosts are renewed, reboot each host, in turn, to start using the new certificate.
  2. To verify that the certificates are all renewed, run the ca-expiry-test.sh script.  (See Prerequisites, Step 3)

 



Scenario 2: Renew certificates that have expired. (All 10.6.x hosts except Windows Legacy Collectors)



  1. SSH to the Security Analytics server (UI Server).
  2. Create the following directory if one does not exist:



# mkdir -p /var/netwitness/database/nw-backup


  1. Create the all-systems-master-copy using VI or another text editor:


# vi /var/netwitness/database/nw-backup/all-systems-master-copy


  1. Add the details of all the NetWitness hosts to the open all-systems-master-copy file. See the HostType chart immediately after this step for the valid host types.


<hostType>,<hostname>,<hostIP>,<nodeid>,<version>

Example:
concentrator,Stack1Con,10.1.1.20,be822b7b-edbd-4e31-a9c5-9e06c9e56ca5,10.6.6.0
logdecoder,Stack1LD,10.1.1.21,6a492be0-522c-4be1-984c-c7c290c6be94,10.6.6.0
saserver,SA151,10.1.1.15,2b64cad8-7f14-49b1-814c-ac521710d8fa,10.6.6.0
vlc,NWAPPLIANCE20393,10.1.1.25,0d6e903f-df54-4f6a-8697-cbe6891b2eb5, 10.6.6.0



Ensure that there are no spaces or blank lines in the all-systems-master-copy file.



 



To obtain the details required for the all-systems-master-copy file, do the following:


The following is a chart of all the default hostType for different NetWitness hosts:

Server HostshostType
Main NetWitness Server (UI Server)saserver
Stand-Alone Brokerbroker
ESA (Event Stream Analysis)esa
VLC (Virtual Log Collector)vlc
Stand-Alone IPDB Extractoripdb
Log Archiverarchiver
Concentrator (Network or Log)concentrator
Log Decoderlogdecoder
Log Hybridloghybrid
Packet Decoder (Network)packetdecoder
Packet Hybrid (Network)packethybrid
Stand-Alone Malware Analysismalwareanalysis
Stand-Alone Warehouse Connectorwhc


  1.  To get the other details, such as hostname, host IP, nodeId, and version for each host,

  1. SSH to the Security Analytics server (UI server).
  2. Run the following commands:



# cd /var/lib/puppet/yaml/facts/
# grep -e hostname -e ipaddress_e * -e rsa_sa_platform_version | sort
cd137ad5-83cf-4dac-97f0-c7e416fc076b.yaml:    hostname: Stack1Broker
cd137ad5-83cf-4dac-97f0-c7e416fc076b.yaml:    ipaddress_eth0: "10.1.1.10"
cd137ad5-83cf-4dac-97f0-c7e416fc076b.yaml:    rsa_sa_platform_version: "10.6.6.0"

NodeID is cd137ad5-83cf-4dac-97f0-c7e416fc076b
hostname is Stack1Broker
hostIP is 10.1.1.10
version is 10.6.6.0


  1. Make a copy of the all-systems-master-copy file to the all-systems file:


# cp /var/netwitness/database/nw-backup/all-systems-master-copy /var/netwitness/database/nw-backup/all-systems


  1. Run the following command on the Security Analytics server (UI server) to push SSH keys to all hosts:


# ./ssh-propagate.sh /var/netwitness/database/nw-backup/all-systems


The root (OS) password for each host will be prompted for and must be entered manually.



  1. Renew the certificate for the Security Analytics server (UI server) by running the following command:


# ./10-6-cert-renewal.sh


  1. After the certificate is renewed, reboot the Security Analytics server.
  2. SSH back to the Security Analytics server and run the following command again to renew the remaining hosts:


# ./10-6-cert-renewal.sh


  1. After the certificates for all the other hosts are renewed, reboot each host in turn to start using the new certificates.
  2. To verify that the certificates are all renewed, run the ca-expiry-test.sh script. (See Prerequisites, Step 3)
  3. To confirm that the certificates are successfully renewed, log in to the Security Analytics UI and confirm all the hosts are running correctly. If they are not, check the Troubleshooting section below before contacting RSA NetWitness Support.

 



Renew certificates that have expired or have not yet expired for Windows Legacy Collector (WLC) hosts



The script wlc-cert-renew-10.6.sh must be used to renew the Windows Legacy Collector certificates. 



Prerequisites



To renew the certificates for Windows Legacy Collector hosts:



  1. Ensure the 10.6.x Security Analytics server's (UI server) CA certificate has already been renewed from previous steps above.
  2. Ensure the wlc-cert-renew-10.6.sh script was downloaded with the other scripts inside the RSA NetWitness Platform 11.x Backup Script. (See Prerequisites, Step 1)
  3. Create a wlc-systems file on the Security Analytics server (UI Server) that contains system information for all Windows Legacy Collectors.


<wlcip>,<wlc nw admin username>,<wlc nw admin password>

Example format in the file:
10.1.1.12,admin,netwitness
10.1.1.35,admin,netwitness


Ensure there are no spaces or blank lines in the wlc-systems file. 



Procedure 


To renew the certificates for Windows Legacy Collector hosts:

  1. SSH into the Security Analytics server (UI Server)
  2. View the details of the current certificate in use by running the command ./wlc-cert-renew-10.6.sh <location of the wlc-systems file>, as shown:


# ./wlc-cert-renew-10.6.sh /root/certreissue/wlc-systems


  1. Renew the certificates for all the WLC hosts by running the command ./wlc-cert-renew-10.6.sh --renew <location of wlc-systems file>.  For example,


./wlc-cert-renew-10.6.sh --renew /root/certreissue/wlc-systems


  1. If the certificates are successfully renewed, the following message will be displayed:


Wed Oct 14 11:23:47 UTC 2026: WLC_CERT_RENEW: [INFO] ---------------------------------------
Wed Oct 14 11:23:47 UTC 2026: WLC_CERT_RENEW: [INFO] Renew completed successfully for 2 of 2
Wed Oct 14 11:23:47 UTC 2026: WLC_CERT_RENEW: [INFO] Done
Wed Oct 14 11:23:47 UTC 2026: WLC_CERT_RENEW: [INFO] ---------------------------------------


  1. After renewing the certificates for Windows Legacy Collector hosts, the RabbitMQ trust store will be propagated to all the hosts in the deployment by Puppet. This can take as long as 30 minutes.  Until then, Health and Wellness statistics from WLCs may not be visible and may display an error. You can avoid this by running the puppet agent manually on the Security Analytics Server, the Log Collector, and the Virtual Log Collectors that are connected to the Windows Legacy Collectors by shovels.
  2. To run the puppet agent, run the following command:


# puppet agent -t
Resolution

Troubleshooting



  • Issue: The following error is displayed on the NetWitness Platform UI while running the certificate renewal script.

ssh: Could not resolve hostname: Name or service not known


exiting; no certificate found and waitforcert is disabled


  • Workaround:

  1. In NetWitness Platform, go to Admin > Hosts.
  2. In Hosts view, select the host and click Enable.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------


  • Issue: The following error is displayed on the NetWitness Platform UI.

Enable Failed: Please click to retry.


  • Workaround

  1. Click the retry button to reattempt the enablement process.
  2. If unsuccessful contact RSA NetWitness Support for further assistance.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------


  • Issue: Certificate is not renewed for the host.
  • Workaround:

  1. SSH to the specific host. Run the puppet agent to check for any error in the host:


# puppet agent -t


  1. If an error is found, fix the error and run the 10-6-cert-renewal.sh script again.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------


  • Issue: Certificate is not renewed for the WLC host.
  • Cause: When you review the log for errors, errors may occur if a WLC is unreachable, or if the IP address, username, or password is incorrect. The script ignores systems that are not WLCs.
  • Workaround:

  1. In the wlc-systems file, remove all the entries and add ONLY the details of the WLC hosts whose certificates are not renewed.
  2. Renew the certificates. For more information, see above section Renew certificates that have expired or have not yet expired for Windows Legacy Collector (WLC) hosts.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------

  • Issue: The Windows Legacy Collector is showing a shovel error (red circle) on a Log Collector under the Remote Collectors Tab.
  • Workaround:
    Follow the steps below:
    1. In NetWitness Platform, go to Config > Remote Collectors on any Log Collectors that are pulling from the affected WLC. Select the LC/VLC service to check the state of the shovel.
        Remote Collector Page
    2. Obtain the UUID of the LV/VLC from the all-systems file or SSH to the LC/VLC and run the following command:
       

      facter -p node_id

       
    3. Select the WLC Service and go to Explore view. In the left panel, on the event-broker, right-click and select Properties.
        WLC Explore View
    4. In the drop-down list, select accept and enter uuid= in the Parameters field and click Send.
        WLC Explore with UUID
    5. Confirm that the shovel is no longer in an error state.
        remote Collector Config Page

Attachments

    Outcomes