on Sep 26, 2019The RSA NetWitness Platform leverages an internal Root Certificate Authority (CA) to issue out certificates to individual services and components to enable secure communications. This Root CA has an expiration that is 5 years from the date of initial installation. If the Root CA is not updated prior to expiration, your system services will lose their ability to securely communicate resulting in a system-wide outage.
Customers Impacted
The Root CA certificate within the RSA NetWitness Platform is created on 1st installation and the default length is 5 years. Version upgrades (to include from 10.x to 11.x) do not currently change this expiration date. Any customer running the RSA NetWitness Platform more than 4 years are recommended to check their certificates.
Recommended Actions
- If you are running version 10.6.x, RSA recommends that you refer to the knowledge base article entitled 000037999 - Reissuing security certificates on RSA NetWitness Platform 10.6.x to check your certification expiration and, if set to expire within 12 months, follow the steps to update your certificate.
- If you are running version 11.x, RSA recommends that you refer to the knowledge base article entitled 000038001 - Reissue root CA security certificates on RSA NetWitness Platform 11.x to check your certificate expiration and, if set to expire within the next 4 weeks, contact RSA Customer Support to walk through the steps to manually update your Root CA immediately. We are expecting to have a script available next week (the week of September 30th) and will send out an update to this advisory with additional details once this is available.
To make this easier going forward, we are also planning to add expanded alerting capabilities within a future release to alert administrators of expiring certificates and automated certificate refreshes during upgrades. The above mentioned manual checks are expected to be temporary measures to mitigate potential outages.
EOPS Policy:
RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.