000031618 - Java is inadvertently updated in an RSA Security Analytics environment

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 14, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000031618
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics Server, Security Analytics UI, Reporting Engine, Incident Management, Event Stream Analysis (ESA), Malware Analysis
RSA Version/Condition: 10.4.1.x
Platform: CentOS
Platform (Other): Java
O/S Version: EL6
IssueA potential issue exists when upgrading from Security Analytics 10.4.1.x to Security Analytics 10.5.1. If appliances are not upgraded immediately after 10.5.1 is retrieved into the Security Analytics updates repository, then the underlying infrastructure automatically applies the newer version of Java from the SA 10.5.1 bundle.
The Java version in SA 10.5.1 bundle is not compatible with SA 10.4.1.x and can result in the Security Analytics UI becoming inaccessible, or may prevent the Security Analytics server from being able to communicate with services such as the Reporting Engine, Incident Management, Malware Analysis, and ECAT.
WorkaroundTo resolve the issue, follow the instructions below based on the scenario that is being experienced.
Security Analytics UI is inaccessible
  1. Connect to the Security Analytics Server appliance via SSH as the root user.
  2. Navigate to the directory for the updates repository.
    cd /var/netwitness/srv/www/rsa/updates/RemoteRPMs/sa/

  3. Remove the incompatible packages.
    rm -rf java-1.7.0-openjdk-
    rm -rf java-1.7.0-openjdk-devel-

  4. Navigate to the /var/netwitness/srv/www/rsa/updates directory.
    cd /var/netwitness/srv/www/rsa/updates

  5. Recreate the updates repository.
    createrepo .

  6. Verify that the updates repository is enabled and enable it as necessary.
    [root@SA-Server ~]# cat /etc/yum.repos.d/sa.repo | grep enabled
    enabled = 1

  7. Downgrade the Java package.
    yum downgrade java -y

Security Analytics UI is accessible but Reporting Engine and Incident Management modules are unable to connect
  1. Log in to the Security Analytics UI as an administrative user.
  2. Browse to the Administration -> System page.
  3. Click on Updates in the left menu bar.
  4. Search for java in the search bar in the upper-right corner of the page.
  5. Select the java-1.7.0-openjdk- and java-1.7.0-openjdk-devel- packages.
  6. Click on the Delete ( - ) button to remove them.
  7. Click on the Synchronize Now button to synchronize with the updates repository.
  8. Connect to the Security Analytics server appliance via SSH as the root user.
  9. Downgrade the Java package.
    yum downgrade java -y

  10. Reboot the appliance.

  11. Perform steps 8-10 on the Event Stream Analysis (ESA) appliance as well.
Malware Analysis service is not functional
  1. Connect to the Malware Analysis appliance via SSH as the root user.
  2. Uninstall the openjdk-devel package.
    rpm -e java-1.7.0-openjdk-devel-

  3. Downgrade the Java package.
    yum downgrade java -y

  4. Install the openjdk-devel package again.
    yum install java-1.7.0-openjdk-devel-

If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.