000037999 - Reissuing security certificates on RSA NetWitness Platform 10.6.x

Document created by RSA Customer Support Employee on Sep 26, 2019Last modified by RSA Customer Support Employee on Oct 21, 2019
Version 17Show Document
  • View in full screen mode

Article Content

Article Number000037999
Applies ToRSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: All Appliances
RSA Version/Condition: 10.6.X
Platform: CentOS
O/S Version: 6
IssueCustomers on RSA NetWitness 10.6.x or earlier may have internal NetWitness issued security certificates that are about to expiring or are already expired.
TasksThe following document describes the steps RSA NetWitness Platform10.6.x customers need to follow to renew Certificate Authority (CA) certificates that are about to expire or have already expired. After successfully running the certificate renewal script mentioned below, the certificate will be renewed for ten years on all hosts.
 

If your 10.6.x environment is STIG enabled, STOP!  Do not use this procedure. Contact RSA Netwitness Customer Support.



Prerequisites



  1. To initiate the certificate renewal process, download the latest RSA NetWitness Platform 11.x Backup Script (currently nw-backup-v4.5.zip) from RSA NetWitness Platform 10.6.6.x to 11.0, 11.1, 11.2 or 11.3 Backup Scripts on RSA Link.

    The nw-backup-v4.5.zip will be used throughout this document. Always use the latest version from the link provided above.


  2. Once the nw-backup-v4.5.zip is downloaded:
    1. SSH into the Security Analytics Server (UI Server)
    2. Create a directory in /root to contain the contents of the zip file by running the following command:


# mkdir /root/certreissue


  1. Secure Copy (SCP) the nw-backup-v4.5.zip file to the /root directory and extract its contents. Run the following command to unpack the zip file once copied:


# unzip nw-backup-v4.5.zip -d certreissue


  1. The contents of the zip file in the directory should look like the following:

  • get-all-systems.sh
  • ssh-propagate.sh
  • ca-expiry-test.sh
  • nw-backup.sh
  • 10-6-cert-renewal.sh
  • wlc-cert-renew-10.6.sh

  1. Change the permission of all the scripts to allow them to be executed by running the following command within the certreissue directory:


# chmod +x *.sh


  1. Check the validity of the current certificates by running the command ./ca-expiry-test.sh --version <Major Version of NetWitness> on the Security Analytics Server (UI Server).  For example,


# ./ca-expiry-test.sh --version 10.x


  • If the certificates have not expired go to Scenario 1 under Procedure. If the certificates have expired, go to Scenario 2 under Procedure.
  • If the Windows Legacy Collector (WLC) certificates need to be renewed, go to Renew certificates that have or have not yet expired for Windows Legacy Collector (WLC) hosts later in this document.
 

Procedure


Scenario 1: Renew the certificates which have not yet expired. (All 10.6.x hosts except the Windows Legacy Collector)

  1. SSH to the Security Analytics Server (UI Server)
  2. Get all details about the Netwitness hosts by running the command ./get-all-systems.sh <IP address of SA Server (UI Server)>:


# ./get-all-systems.sh 192.168.1.20


  1. Run the following command on the Security Analytics server (UI Server) to propagate SSH keys to the other Netwitness servers. This is to help streamline the communications for the rest of the procedure.

    The root (OS) password for each host will be prompted for and must be entered manually.




    # ./ssh-propagate.sh /var/netwitness/database/nw-backup/all-systems

  2. Renew the certificates for the Security Analytics Server (UI Server) by running the following command on the UI server itself:

    # ./10-6-cert-renewal.sh

  3. After the certificate is renewed, reboot the Security Analytics Server (UI Server).
  4. Once the Security Analytics server is back up, renew the certificates for all the other hosts. Run the following command on the Security Analytics server once more to update the remaining devices.

    # ./10-6-cert-renew.sh

  5. After the certificates for all the other hosts are renewed, reboot each host, in turn, to start using the new certificate.
  6. To verify the certificates are all renewed, run the ca-expiry-test.sh script as mentioned in Step 3 within the Prerequisites.


Scenario 2: Renew certificates that have expired. (All 10.6.x hosts except Windows Legacy Collectors)



  1. SSH to the Security Analytics server (UI Server).
  2. Create the following directory if it does not already exist:


# mkdir -p /var/netwitness/database/nw-backup


  1. Create the all-systems-master-copy using vi or other text editors.


# vi /var/netwitness/database/nw-backup/all-systems-master-copy


  1. Add the details of all the NetWitness hosts to the open all-systems-master-copy file using the format of <hostType>,<hostname>,<hostIP>,<nodeid>,<version>


concentrator,Stack1Con,10.1.1.20,be822b7b-edbd-4e31-a9c5-9e06c9e56ca5,10.6.6.0
logdecoder,Stack1LD,10.1.1.21,6a492be0-522c-4be1-984c-c7c290c6be94,10.6.6.0
saserver,SA151,10.1.1.15,2b64cad8-7f14-49b1-814c-ac521710d8fa,10.6.6.0
vlc,NWAPPLIANCE20393,10.1.1.25,0d6e903f-df54-4f6a-8697-cbe6891b2eb5, 10.6.6.0



Make sure that there are no spaces or blank lines in the all-systems-master-copy file.


 

To obtain the details required for the all-systems-master-copy file, do the following:



  • The following is a chart of all the default hostType for the different NetWitness hosts.

    HostshostType
    Main NetWitness Serversaserver
    Stand-Alone Brokerbroker
    ESA (Event Stream Analysis)esa
    VLC (Virtual Log Collector)vlc
    Stand-Alone IPDB Extractoripdb
    Log Archiverarchiver
    Concentrator (Network or Log)concentrator
    Log Decoderlogdecoder
    Log Hybridloghybrid
    Packet Decoder (Network)packetdecoder
    Packet Hybrid (Network)packethybrid
    Stand-Alone Malware Analysismalwareanalysis
    Stand-Alone Warehouse Connectorwhc

  • To get the other details such as hostname, hostIP, nodeId, and version for each host, SSH to the Security Analytics server (UI server) and run the following commands.  Example output is shown below:


# cd /var/lib/puppet/yaml/facts/
# grep -e hostname -e ipaddress_eth * -e rsa_sa_platform_version | sort
cd137ad5-83cf-4dac-97f0-c7e416fc076b.yaml:    hostname: Stack1Broker
cd137ad5-83cf-4dac-97f0-c7e416fc076b.yaml:    ipaddress_eth0: "10.1.1.10"
cd137ad5-83cf-4dac-97f0-c7e416fc076b.yaml:    rsa_sa_platform_version: "10.6.6.0"

NodeID is cd137ad5-83cf-4dac-97f0-c7e416fc076b
hostname is Stack1Broker
hostIP is 10.1.1.10
version is 10.6.6.0


  1. Make a copy of the all-systems-master-copy file and call it all-systems:


# cp /var/netwitness/database/nw-backup/all-systems-master-copy /var/netwitness/database/nw-backup/all-systems


  1. Run the following command on the Security Analytics server (UI server) to push SSH keys to all hosts.


# ./ssh-propagate.sh /var/netwitness/database/nw-backup/all-systems


The root (OS) password for each host will be prompted for and must be entered manually.



  1. Renew the certificate for the Security Analytics server (UI server) by running the following command:


# ./10-6-cert-renewal.sh


  1. After the certificate is renewed, reboot the Security Analytics server.
  2. SSH back to the Security Analytics server and run the following command again to renew the remaining hosts.


# ./10-6-cert-renewal.sh


  1. After the certificates for all the other hosts are renewed, reboot each host in turn to start using the new certificate.
  2. To verify the certificates are all renewed, run the ca-expiry-test.sh script as mentioned in Step 3 within the Prerequisites.
  3. To confirm that the certificates are successfully renewed, log in to the Security Analytics UI and confirm all the hosts are running correctly. If they are not, check the Troubleshooting section below before contacting RSA Netwitness Support.
 

Renew certificates that have expired or have not yet expired for Windows Legacy Collector (WLC) hosts


The script wlc-cert-renew-10.6.sh must be used to renew the Windows Legacy Collector certificates.

Prerequisite


To renew the certificates for Windows Legacy Collector hosts:

  • Ensure 10.6.x Security Analytics server's (UI server) CA certificate has already been renewed from previous steps above.
  • The wlc-cert-renew-10.6.sh script was downloaded with the other scripts inside the RSA NetWitness Platform 11.x Backup Script from Step 1 in Prerequisites.
  • Create a wlc-systems file on the Security Analytics server (UI Server) that contains system information for all Windows Legacy Collectors in the following format <wlcip>,<wlc nw admin username>,<wlc nw admin password>.  For example, 

    10.1.1.12,admin,netwitness
    10.1.1.35,admin,netwitness


    Make sure there are no spaces or blank lines in the wlc-systems file.


 

Procedure


To renew the certificates for Windows Legacy Collector hosts

  1. SSH into the Security Analytics server (UI server).
  2. View the details of the current certificate in use by running the command ./wlc-cert-renew-10.6.sh <location of wlc-systems file>


# ./wlc-cert-renew-10.6.sh /root/certreissue/wlc-systems


  1. Renew the certificates for all the WLC hosts by running the command ./wlc-cert-renew-10.6.sh --renew <location of wlc-systems file>.  For example, 


# ./wlc-cert-renew-10.6.sh --renew /root/certreissue/wlc-systems


  1. If the certificates are successfully renewed, the following message will be displayed.


Wed Oct 14 11:23:47 UTC 2026: WLC_CERT_RENEW: [INFO] ---------------------------------------
Wed Oct 14 11:23:47 UTC 2026: WLC_CERT_RENEW: [INFO] Renew completed successfully for 2 of 2
Wed Oct 14 11:23:47 UTC 2026: WLC_CERT_RENEW: [INFO] Done
Wed Oct 14 11:23:47 UTC 2026: WLC_CERT_RENEW: [INFO] ---------------------------------------


  1. After renewing the certificates for Windows Legacy Collector hosts, the RabbitMQ trust store will be propagated to all the hosts in the deployment by Puppet. This can take as long as 30 minutes.  Until then, Health and Wellness statistics from WLCs may not be visible and may display an error. You can avoid this by running the puppet agent manually on the Security Analytics Server, the Log Collector, and Virtual Log Collectors that are connected to the Windows Legacy Collectors by shovels.

To run the puppet agent, run the following command:

# puppet agent -t
Resolution

Troubleshooting



  1. Issue: The following error is displayed on the NetWitness Platform UI while running the certificate renewal script.

ssh: Could not resolve hostname: Name or service not known


exiting; no certificate found and waitforcert is disabled


Work Around:

  • In NetWitness Platform, go to Admin > Hosts.
  • In Hosts view, select the host and click Enable.

  1. Issue: Certificate is not renewed for the host.
    Work Around:

    • SSH to the specific host. Run the puppet agent to check for any error in the host:
       

      # puppet agent -t

       
    • If an error is found, fix the error and run the 10-6-cert-renewal.sh script again.
  2. Issue: Certificate is not renewed for the WLC host.
    Cause: When you review the log for errors, errors may occur if a WLC is unreachable, or if the IP address, username, or password is incorrect. The script ignores systems that are not WLCs.
    Work Around:
    In the wlc-systems file, remove all the entries and add ONLY the details of the WLC hosts whose certificates are not renewed and then renew the certificates. For more information, see To Renew the certificates for Windows Legacy Collector Hosts, earlier in this document.
  3. Issues: On Log Collectors that have Windows Legacy Collectors within the Remote Collections tab that are showing a shovel error.
    Work Around:
    Follow the below steps,
    • In NetWitness Platform, go to Config > Remote Collectors on any Log Collectors that are pulling from the affected WLC. Select the LC/VLC service to check the state of the shovel.
        Remote Collector Page
    • Obtain the UUID of the LV/VLC from the all-systems file or SSH to the LC/VLC and run the following command:
       

      facter -p node_id

       
    • Select the WLC Service and go to Explore view. In the left panel, on the event-broker, right-click and select Properties.
        WLC Explore View
    • In the drop-down list, select accept and enter uuid= in the Parameters field and click Send.
        WLC Explore with UUID
    • Confirm that the shovel is no longer in an error state.
        remote Collector Config Page

Attachments

    Outcomes