000031713 - Configure Rapid 7 and/or Nessus to use alternative CNs instead of Hostname with RSA Vulnerability Risk Manager

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000031713
Applies ToRSA Product Set: Archer, Security Management
RSA Product/Service Type: Vulnerability Risk Manager (VRM)
RSA Version/Condition: 1.1 SP1
 
IssueIf configuring a Nessus or Rapid 7 endpoint and you are using something other than Hostname for the CN between the Nesses/Rapid 7 certificate and the VRM host file and you receive the following error message in the Collector.log file:
 
03 Nov 2015 11:58:40,106 | DEBUG - TalendTasklet.executeJob(158) | getRapid7HostList: Releasing lock for job. 03 Nov 2015 11:58:40,106 | DEBUG - TalendJobUtil.connectToUrl(328) | Connecting to URL https://xxxxxxxxxxxxxxxxxxx:3780/api/1.1/xml without Proxy 03 Nov 2015 11:58:40,153 | ERROR - TalendJobUtil.getRapid7SessionID(274) | Failed to get Rapid7 session ID. Exiting the Talend Job sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 03 Nov 2015 11:58:40,168 | ERROR - GetRapid7HostList.tLogCatcher_1Process(2891) | Error occured processing GetRapid7HostList job. Message is java.lang.Exception:javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 03 Nov 2015 11:58:40,168 | ERROR - TalendTasklet.execute(72) | getRapid7HostList: ERROR | Etl job failed with return code: 1 03 Nov 2015 11:58:40,168 | DEBUG - FilePropertyManagerImpl.setProperty(29) | Setting property rapid7.NARCALA_INT.getRapid7HostList.lastStatus to ERROR
ResolutionSet the "sslHostNameVerification" to false in the listed configuration files:
  • vrm-endpoint-beans.xml:  change the rapid7Endpoint property "sslHostNameVerification" to "false"
  • rapid7-beans.xml:  change all instances of "sslHostNameVerification" to "false"
NotesBy default the endpoints are expecting a hostname-based CN between Nesses/Rapid7 and the Host file. 

Attachments

    Outcomes