000038520 - How to configure device aggregation to another RSA NetWitness environment using SSL

Document created by RSA Customer Support Employee on Mar 9, 2020Last modified by RSA Customer Support Employee on Mar 31, 2020
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000038520
Applies To
 RSA Product Set: RSA NetWitness Platform
   RSA Product/Service Type: Broker, Concentrator, Network Decoder, Log Decoder, Archiver
   RSA Version/Condition: 11.X
   Platform: CentOS
   O/S Version: EL7
IssueWhen configuring device aggregation between broker and concentrator, for example, there is a check against a certificate that can fail if it is untrusted. This document tells you how to bypass the SSL check and allow you to connect to a device that does not share the same CA as you. This is necessary since every environment should have its own unique CA. To go further, you must establish how you want the trust to go through.

Suppose you have 2 environments: Environment Alpha and Environment Beta.

If you want a host in Alpha to aggregate from hosts in Beta, then you must import the CA certificate from Beta to the device in Alpha that will be aggregating. This establishes the trust that is needed to complete the aggregation connection. You can use the following steps to accomplish this.

SPECIAL NOTE:
If you are attempting to aggregate concentrators from different environments, you must be careful of the index settings for these devices as they should share the same index settings between each other. This means that the index-concentrator-custom.xml and index-concentrator.xml files should be the same for optimal investigation on the devices in question. Failure to check against this may result in unusual investigation behavior such as unrecognized keys and the like. This is not specific to performing this KB but part of good practice in general when it comes to aggregating from multiple devices.
ResolutionFirst, in this circumstance, we must get the certificate from Environment Beta that we will be importing to the host in Environment Alpha. You will need the content of this file from Environment Beta to be used in the next step. This can be found on the device itself. No matter what device you are working on, it should be in the same location.

/etc/pki/nw/ca/nwca-cert.pem

Once you have the contents of this file, you can move on to uploading it to the device in question. For the below example, I will be using a Concentrator.


http://<ConcentratorIP>:50105/sys/caupload

Note, if the REST interface is configured for HTTPS, you must substitute in the URL accordingly. In my example, I am uploading the CA certificate of a log decoder in Environment Beta to a Concentrator that is in Environment Alpha. When you go to the Concentrator in my URL, you will be presented with a page similar to the below. On this page, you copy the contents of the CA certificate in its entirety to the device. Ensure that the "Add" radial button is selected.

User-added image

You can then click the upload button. Once this is done, you can go to the Explore View of the device in question and begin to add the device by doing the following. Right-click on the device in question in the node tree. Since I am working on a Concentrator, the node says "concentrator". Select properties. From the drop-down that appears, select the "add" function. Then, populate the parameters that you would normally put for aggregation. Be sure to include the SSL port for the device that you are trying to aggregate against. Since in this case, it is a log decoder, it is 56002. When done populating the parameters field, you can press the send button. You should receive a response on whether it was successful or not.



Note: You notice that upon completion of this procedure if you go to the Concentrator's Config page, you will see that the device appears under the normal aggregation section as you would expect from a device in the same environment. Note, the number of interactions you can do with it are still limited because it is being managed by another Admin Server.
 

Attachments

    Outcomes