000031295 - How to synchronize RSA ECAT 4.1.x when the RSA ECAT Server has no internet access

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 6Show Document
  • View in full screen mode

Article Content

Article Number000031295
Applies ToRSA Product Set: ECAT
RSA Product/Service Type: ECAT
RSA Version/Condition: 4.1.0.x, 4.1.1.x
Platform: Windows
IssueHow to manually synchronize RSA ECAT 4.1.[0|1].x when the RSA ECAT Server has no internet access?
Background:
Ordinarily an RSA ECAT Server with internet access, will periodically (daily) access the internet for certain updates.
Updates for:
  • Trusted Root certificates, and Certificate Revocation Lists (CRLs) for ECAT Server discovered modules.
  • RSA Live feeds for any updates to RSA Security Analytics (SA) Live Feeds been subscribed to (A RSA Live login is required).
  • Kernel Data for any update to the list of ECAT Agent recognizable Windows Operating Systems.
An RSA ECAT Server without internet access will not be able to automatically obtain these updates.
TasksThe download(s) can be done manually from any PC which has access to the Internet, using the ECAT Server ConsoleServerSync.exe program.
There are three (3) steps to using the ConsoleServerSync.exe program.
1. Create the revocation_urls_live.xml file, with your choice of download actions wanted to do.
2. Download data from the Internet for the chosen item to download.
3. Import downloaded files into the ECAT Server SQL Server database.
For RSA ECAT 4.1.2.x instead see the alternate RSA Knowledgebase article on how to run the new ConsoleServerSync.exe program - How to synchronize RSA ECAT 4.1.2.x when the RSA ECAT Server has no Internet access
Resolution1. Create the revocation_urls_live.xml file.
On the ECAT Server created necessary revocation_urls_live.xml file (No internet access is required for this step).
Start a command prompt, and change to the directory for the ConsoleServerSync.exe program (default c:\ECAT\Server directory)
cd /d c:\ECAT\Server
a. If only the Trusted Root certificates, and CRLs are required then run the command,
ConsoleServerSync.exe 1 crl
b. If only the RSA Live feeds are required then run the command,
ConsoleServerSync.exe 1 live
c. If only the Kernel Data is required then run the command,
ConsoleServerSync.exe 1 kernel
Sample Screen Output:
Connecting to database...
Enter the SQL Security Password?
*******
Getting unsupported kernel data...
Writing file...
DONE!
Press any key to continue...

Enter the SQL Server password at the start, and any key to finish.
This creates file revocation_urls_live.xml in the current directory containing only the following lines.
 
<?xml version="1.0" encoding="utf-8"?>
<Sync>
<EcatCertificateSynch />
<EcatLiveFeedSynch />
<KernelErrors />
</Sync>

d. For all options run the command,
ConsoleServerSync.exe 1

2. Download data from the Internet
Copy from the ECAT Server the following files to the PC which has internet access.
The ECAT Server files: ConsoleServerSync.exe, ConsoleServerSync.exe.config, revocation_urls_live.xml (default directory location C:\ECAT\Server) copy to a working directory on the PC with internet access.
Note: In order to run the ConsoleServerSync.exe on the PC, Microsoft .NET 4.5 Full framework must be installed.  It can be downloaded from the Microsoft website : Microsoft .NET Framework 4.5
From a command prompt, change to the directory for the ConsoleServerSync.exe program, and run the command,
ConsoleServerSync.exe 2
After entering ECAT Server SQL Server database password, the output will depend on what is to be downloaded.
a. Trusted Root certificates, and CRLs.
The http sites for Trusted Root certificates, and CRLs will be shown.
The files trusted_roots.dat and revocation_lists.dat are created in the directory where the ConsoleServerSync.exe program is run.
Note: Some third party sites may not allow access, or the module may have an incorrect URL, these errors should be ignored.
b. RSA Live feeds.
Enter a valid RSA Live username and password when required.
Under the directory where the ConsoleServerSync.exe program is run a directory feed is created and the subscribed feed zipfiles are downloaded into this directory.
c. Kernel Data.
Sample Screen Output:
Reading revocation URL file...
Uuids count = 0
Downloading kernel data from RSA Live...
RSA Live. The file kernel_data.csv has been successfully downloaded
DONE!
Press any key to continue...

This creates the file kernel_data.csv in the current directory, which as of September 2015 was 666KB size containing 579 lines of data, where  the first line is a heading line.

3. Import downloaded files into the ECAT Server SQL Server database.
The import can be done from the PC with the internet access, but network access to the SQL Server database must be reliable during the import.
Or the downloaded files can be copied to the ECAT Server directory where the ConsoleServerSync.exe program (default directory location C:\ECAT\Server)
From a command prompt, change to the directory for the ConsoleServerSync.exe program, and run the command,
ConsoleServerSync.exe 3
After entering ECAT Server SQL Server database password, the output will depend on what files exist.
a. Files trusted_roots.dat and revocation_lists.dat
b. Zipfile under the feed directory
c. File kernel_data.csv
Sample Screen Output:
Connecting to database...
Enter the SQL Security Password?
*******
Reading kernel data...
Updating database...
Saved kernel info 1 of 578
Saved kernel info 2 of 578
Saved kernel info 3 of 578
Saved kernel info 4 of 578
Saved kernel info 5 of 578
Saved kernel info 6 of 578
Saved kernel info 7 of 578
Saved kernel info 8 of 578
Saved kernel info 9 of 578
:
Saved kernel info 571 of 578
Saved kernel info 572 of 578
Saved kernel info 573 of 578
Saved kernel info 574 of 578
Saved kernel info 575 of 578
Saved kernel info 576 of 578
Saved kernel info 577 of 578
Saved kernel info 578 of 578
DONE!
Press any key to continue...
Notesa. Running the ConsoleServerSync.exe from a command prompt without any parameter, will show the following usage guide, and it prompts you for an action.  You can use Control-C the exit the program without any action.
 
C:\ECAT\Server>ConsoleServerSync.exe
Enterprise Compromise Assessment Tool Console
Copyright © 2015 EMC Corporation All Rights Reserved.
-----------------------------------------------------------------------------
This tool is meant to be used to allow the synchronization of trusted certificate roots, certificate revocation lists (CRLs), RSA Live feeds and kernel data with the Internet when the ECAT server is used in an isolated environment. It must be used in three phases:
1) Export of source data from the database
For this phase, this executable must have network access to the database. A file named "revocation_urls_live.xml" will be created.
2) Collection of trusted roots, download of CRLs, RSA Live feeds and kernel data
For this phase, this executable must have access to the Internet. It is also recommended that the machine be up to date with Windows Updates in order to have the latest trusted certificate roots. The file "revocation_urls_live.xml" must be present in the same folder. Files named "revocation_lists.dat", "trusted_roots.dat", "kernel_data.csv" and folder named "feed" may be created.
3) Import of collected data to the database
For this phase, this executable must have network access to the database. The files "revocation_lists.dat", "trusted_roots.dat", "kernel_data.csv" and folder named "feed", if generated in Phase 2 must be present in the same folder.
To sync CRLs and trusted root certificates only, run Phase 1 as "ConsoleServerSync.exe 1 crl". Run Phase 2 and 3 as usual.
To sync RSA Live only, run Phase 1 as "ConsoleServerSync.exe 1 live". Run Phase 2 and 3 as usual.
To sync kernel data only, run Phase 1 as "ConsoleServerSync.exe 1 kernel". Run Phase 2 and 3 as usual.
Enter the number of the phase to execute:

b. Depending on the internet speed, and the number of modules discovered in the ECAT Server, the download of Trusted Root certificates, and CRLs can take hours to complete.
c. The import only imports data that is not already in the ECAT Server SQL Server database.
d. Imported Kernel Data is based only on the Unsupported Kernels reported by the ECAT Server, and the RSA ECAT Team has an update for it.
If your ECAT Server is unable to report Unsupported Kernel information, then the Kernel Data will only get updated when another Customer's ECAT Server reports that Kernel version.
e. After the Kernel Data is imported the ECAT Agent will receive the kernel signatures after its next beacon.  The ECAT Agent driver will be restarted immediately after receiving the kernel signatures, but a quick scan (even only processes) or tracking event is needed to confirm, and clear the unsupported kernel icon in Machines (an icon of a computer monitor with a yellow triangle in the bottom right).
f. For ECAT 3.x and 4.0.x instead see the alternate RSA Knowledgebase article on how to run the ConsoleCertificateSynch.exe program - How to synchronize certificates when the RSA ECAT server has no internet access

Attachments

    Outcomes