Sys Maintenance: Reissue Certificates 110197

Document created by RSA Information Design and Development Employee on Jan 30, 2020Last modified by RSA Information Design and Development Employee on Jul 24, 2020
Version 15Show Document
  • View in full screen mode
 

Introduction

For a secure deployment, NetWitness Platform has installed internal RSA-issued certificates such as CA Certificate and Service certificates .

The validity for NetWitness Platform certificates are as follows:

  • CA root certificate for 11.x deployment is valid for 10 years

  • CA root certificate for 10.6.x deployment is valid for 5 years

  • Service certificates are valid for 1000 days

When these certificates are about to expire or have expired, you must renew and reissue the certificates as soon as possible to avoid any issues with your NetWitness deployment.

Note: You can view the expiration details, by executing the ca-expire-test-sh script on the NetWitness Server. For more information, see Reissue root CA security certificates on RSA NetWitness Platform 11.x and download the script.

CA Certificate Reissue

To renew the CA certificates, do the following:

Note: If you have Windows Legacy Collectors (WLC) in your deployment, renew the CA certificate of the WLC after renewing the CA certificate of the NetWitness Admin Server.

Service Certificate Reissue

To renew the Service certificates, do the following:

Note: If you have a host that is decommissioned or plan to remove, do not renew the certificate for that host.

Reissuing Service Certificate

You can reissue service certificates in the following two ways.

  • All at once
    Reboot NW Server host after the cert-reissue --host-all command completes.
  • One at a time
    Reissue the NW Server host certificates first, restart the host, then reissue each component host.

IMPORTANT: If you are reissuing certificates for each host individually (one at a time), you must reissue the certificate for the NW Server host before you can reissue certificates for any other host.

When to Use the --host-all Argument

Use the cert-reissue --host-all command string if you have a large number of hosts. Make sure that:

  • All your hosts are running 11.3.0.0 or later.
  • All your hosts are online.
  • The NW Server host run time services are running.

cert-reissue Arguments and Options for All Hosts

The following tables lists the argument you can use to reissue certificates for all hosts at one time. See Troubleshooting Cert-Reissue Command for additional options you can use with Customer Support to troubleshoot errors.

               
ArgumentsDescription
--host-all

Reissues certificates for all hosts at one time applying system health checks and restarts services.

Note: If even one host is not online, this command fails. If you have numerous hosts in your deployment, make sure that all hosts are up and running.

Caution: Make sure you do not run this argument on a node or host that you plan to remove or decommission.

When to Use the Individual Host Arguments (--host-id <id>, --host-name <display-name>, --host-addr <ip/hostname>)

The cert-reissue --host-id <id>, cert-reissue --host-name <display-name>, or cert-reissue --host-addr <ip/hostname> reissues a certificate for an individual host. You may want to reissue certificates for an individual host if you have a small number of hosts.

Make sure that:

  • Each host is running 11.3.0.0 or later.
  • Each host is online.
  • The NW Server host run time services are running
  • You reissue certificates for the NW Server host first.

cert-reissue Arguments and Options for a Single Host

The following tables lists the arguments and options you can use to reissue certificates for a single host (one host at a time). For more information, see the Troubleshooting Cert-Reissue Command section on the additional options you can use with Customer Support to troubleshoot errors.

Note: You must run the command for the NW Server host first and reboot that host before you run the command for each component host.

                       
ArgumentsDescription
--host-id <id> Reissues certificate for the host identified by <id> (host identification code).
--host-name <display-name>

Reissues certificate for host identified by <display-name>.

display-name is the value shown under Name in the ADMIN > Hosts View in the NetWitness Platform Interface.

--host-addr <Hostname-in UI> 
                     or
 --host-addr <hostname>

Reissues certificate for the host identified by the value shown under Hostname in the ADMIN > Hosts > Edit dialog in the NetWitness Platform Interface. This value can be an ip-addres (default) or a user-specified name.

Reissuing Certificates for All Hosts Except Windows Legacy Collection (WLC) host

Use the cert-reissue command to reissue certificates for all hosts except the WLC host with the following procedures.

Running the Cert-Reissue Command for All Hosts

  1. SSH to the NW Server host.
  2. Submit the appropriate command string.
    cert-reissue --host-all

Running the Cert-Reissue Command for an Individual Host

  1. SSH to the NW Server host.
  2. Submit the appropriate command string (that is cert-reissue --host-id or --host-name or --host-addr). Each of the following command strings is an example of how you reissue certificates for a specific host.
    • --host-id <host-identification-code>
    • --host-name <named-displayed-under-Name-in-Hosts-view>
    • --host-addr <ip-address-default-hostname-or-user-specified-hostname>

Reissuing Certificates for a WLC Host

You must use the wlc-cli-client utility to reissue certificates for a WLC host (you cannot use the cert-reissue command). You also need to specify a number of WLC identification parameters with this utility.

Note: The certificates for a Windows Legacy Server host are stored in the following directories on the host.
C:\ProgramData\netwitness\ng\logcollector_cert.pem
C:\ProgramData\netwitness\ng\logcollector_dh2048.pem
Th validity period of WLC certificates can range from 2 to 20 years. If you rename or remove the files and restart NwLogCollector Service, NetWitness regenerates them.
/ssl/truststore.pem - is no longer used in 11.x
Every reissue of a certificate on the Windows Legacy server creates a new private key.

To reissue certificates on a WLC host.

  1. SSH to the NW Server host.
  2. Submit the following command string.
    wlc-cli-client --cert-renew --host <wlc-host-ip-address> --port 50101 --use-ssl false --username <wlc-username> --password <wlc-password> --ss-username <deploy-admin-username> --ss-password <deploy-admin-password>

Successful Reissue Summary Report

When you run cert-reissue --host-all , the following summary report will be displayed if all hosts are online, all run time services are running, and all hosts on version 11.3.0.0 or higher.

Unsuccessful Reissue Summary Reports

You must contact Customer Support (https://community.rsa.com/docs/DOC-1294) to troubleshoot problems. You know there is a problem if any <host-id> does not return a SuccessStatus. Success indicates that certificates were reissued for a host. The following examples illustrate unsuccessful reissues.

Reissue Failed for Host and Aborted Command

The following three examples illustrate the failure of certificate reissuing for any hosts.

Reissue Certificate Partially Executed

The NW Server Host certificates were reissued but failed to properly distribute the reissued certificates to one or more component hosts.

You are here
Table of Contents > Reissue Certificates

Attachments

    Outcomes