000039357 - Upgrading RSA NetWitness hosts to is stuck at "In Queue for Updates" status

Document created by RSA Customer Support Employee on Oct 6, 2020Last modified by RSA Customer Support Employee on Oct 22, 2020
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000039357
Applies ToRSA Product Set: RSA NetWitness Platform
RSA Product/Service Type: Core Appliance
RSA Version/Condition:
Platform: CentOS
O/S Version: 7
IssueWhen attempting to upgrade NetWitness hosts, some get stuck on the UI in In Queue for Updates.
As the Update button is greyed out for the affected hosts, no further attempts can be made to upgrade them.
The following error is found in /var/log/netwitness/config-management/chef-solo.log.

    Error executing action `run` on resource 'execute[generate-dhparams]'


    no implicit conversion of nil into String


    Cookbook Trace:
    /var/lib/netwitness/config-management/cache/cookbooks/nw-mongo/recipes/config.rb:28:in `exist?'
    /var/lib/netwitness/config-management/cache/cookbooks/nw-mongo/recipes/config.rb:28:in `block (2 levels) in from_file'


    Resource Declaration:
    # In /var/lib/netwitness/config-management/cache/cookbooks/nw-mongo/recipes/config.rb


     24: execute 'generate-dhparams' do
     25:   command 'openssl genpkey -genparam -algorithm DH ' \
     26:           "-out #{node['nw-mongo']['ssl_dhparams']['path']} " \
     27:           "-pkeyopt #{node['nw-mongo']['ssl_dhparams']['pkeyopt']}"
     28:   not_if { ::File.exist?(node['nw-mongo']['ssl_dhparams']['path']) }
     29: end


    Compiled Resource:
    # Declared in /var/lib/netwitness/config-management/cache/cookbooks/nw-mongo/recipes/config.rb:24:in `from_file'


    execute("generate-dhparams") do
      action [:run]
      default_guard_interpreter :execute
      command "openssl genpkey -genparam -algorithm DH -out  -pkeyopt "
      backup 5
      declared_type :execute
      cookbook_name "nw-mongo"
      recipe_name "config"
      domain nil
      user nil
      not_if { #code block }

CauseThis failure is due to /etc/netwitness/config-management/node.json not being updated with the following lines which are parameters that are required to generated /etc/pki/nw/mongo/dhparams-rfc5114-3.pem which is new to 11.5.

"ssl_dhparams" :
{ "pkeyopt" : "dh_rfc5114:3", "path" : "/etc/pki/nw/mongo/dhparams-rfc5114-3.pem" }

ResolutionIn order to resolve the issue, please perform the upgrade from the command line by running the command below from the Admin server.
upgrade-cli-client –-upgrade --host-key <ID, IP address, hostname or display name of the affected host> --version
See Upgrade 11.5: Appendix A. Offline Upgrade Using CLI for more information.

Alternatively, follow the steps below to clear the current status and start the upgrade again from the UI.
  1. SSH to the affected host.
  2. (Conditional) Modify /etc/yum.repos.d/nw-rsa-base.repo to set the baseurl as ‘baseurl=https://nw-node-zero/nwrpmrepo/’ only if the URL is NOT pointing to the version desired.
  3. (Conditional) Manually update to rsa-nw-component-descriptor- only if the package is not updated yet.

    rpm -qa |grep rsa-nw-component-descriptor
    yum update rsa-nw-component-descriptor

  4. SSH to the Admin server.
  5. Back up the appliance_update collection.

    mongoexport --db sa --collection appliance_update --out /root/appliance_update.json -u deploy_admin -p <PASSWORD> --authenticationDatabase admin

    Note: Replace <PASSWORD> with the actual password for the deploy_admin account.
  6. Modify the Mongo document to change the "IN_QUEUE" state to “REBOOTED”.

    mongo admin -u deploy_admin -p
    use sa
    db.appliance_update.find() – confirm the UUID of the affected host and its "IN_QUEUE" status.
    db.appliance_update.update({ "_id" : "<UUID>" }, { $set: { status : "REBOOTED", acceptWarning : false}})
    db.appliance_update.update({ "_id" : "<UUID>" }, { $set: {"version" :{ "major" : 11, "minor" : 3, "servicePack" : 1, "patch" : 0 }}}) - To revert back to the current version( in this example) if the version was also changed to Please modify the command to match the current version.

  7. Refresh the UI and start the upgrade again.