000029468 - How to reset the RSA Security Analytics Incident Management DB account password

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Sep 8, 2018
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000029468
Applies ToRSA Product Set: NetWitness, Security Analytics
RSA Product/Service Type: Security Analytics Server, Incident Management, ESA
RSA Version/Condition: 10.4.x, 10.5.x, 10.6.x
Platform: CentOS
Platform (Other): MongoDB
O/S Version: EL6
IssueUnable to start the Incident Management (rsa-im) service.

The Incident Management log file, im.log shows there was a configuration change, and authentication fails during service start.
 

egrep "MongoDbConfiguration|Failed" /opt/rsa/im/logs/im.log

2018-09-07 01:20:03,409 [Carlos@68e6058-182] INFO  com.rsa.netwitness.carlos.config.ConfigurationMXBean - MongoDbConfiguration changed by admin
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'imAggregationRuleMigration': Invocation of init method failed; nested exception is org.springframework.data.mongodb.CannotGetMongoDbConnectionException: Failed to authenticate to database [im], username = [im], password = [********]
Caused by: org.springframework.data.mongodb.CannotGetMongoDbConnectionException: Failed to authenticate to database [im], username = [im], password = [********]
ResolutionThe following steps will guide the user through the process for changing the Incident Management (IM) database account password.

For more information please reference the document entitled 
ESA Config: Change Incident Management Storage Password in the RSA NetWitness Platform documentation.
 

A. Change the im password in the ESA mongo database



  1. Connect to the ESA appliance via SSH as the root user.
  2. Log onto the MongoDB for Incident Management as the admin user by issuing the command below.

    mongo im -u admin -p <current_password> --authenticationDatabase admin


    NOTE: The default admin password is netwitness.  Substitute <current_password> with the correct password.


  3. Execute the command below to change the im account password.

    db.changeUserPassword('im','<new_password>')


    NOTE: The default im password is im.  Substitute <new_password> with the desired value.


  4. Log off from the MongoDB.

    exit

    User-added image
     


B. Change the im account password to the clear-text value, if the Incident Management service won't start


When the Incident Management (rsa-im) service is down, and configure with an unknown password, then need to manually change the configuration file to the known password value from the previous step A above.  If the Incident Management (rsa-im) service is up, then skip to the next step C below.

 


  1. Connect to the SA Server appliance, where the Incident Management (rsa-im) service runs, via SSH as the root user.
  2. Backup the mongoDbConfig.json file.

    cp -p /opt/rsa/im/conf/mongoDbConfig.json /opt/rsa/im/conf/mongoDbConfig.json.bak

  3. Change the hashed password value in the mongoDbConfig.json file to the known password as clear-text, with an editor like vi.

    [root@APJGSSASRV conf]# vi /opt/rsa/im/conf/mongoDbConfig.json.bak

    {"type": "Dictionary","dictionary": {"entry": [{"key": "Password","value": {"type": "String","string": "QFs68vN4KhyEzcHqStYZUQfHlm0zM+1
    MRIJKHsvfOHKC6BKn91EEcK1UiAJLlZZVwN2YIE8ZHTAE\r\ndBV3JWVGng==\r\n
    "}},{"key": "Host","value": {"type": "String","string": "10.62.31.198"
    }},{"key": "DatabaseName","value": {"type": "String","string": "im"}},{"key": "Username","value": {"type": "String","string": "im"}},{"
    key": "QueryTimeout","value": {"type": "Number","number": {"type": "INT_32","int32": 40}}},{"key": "Port","value": {"type": "Number","n
    umber": {"type": "INT_32","int32": 27017}}}]}}


See in the above example the portion of the configuration file that shows the hashed password string appears as, {"key": "Password","value": {"type": "String","string": "QFs68vN4KhyEzcHqStYZUQfHlm0zM+1 MRIJKHsvfOHKC6BKn91EEcK1UiAJLlZZVwN2YIE8ZHTAE\r\ndBV3JWVGng==\r\n"}}

Change the hashed password string to the known password as clear-text, for example like, {"key": "Password","value": {"type": "String","string": "im"}}
Save the configuration change.


5. Start the Incident Management (rsa-im) service



service rsa-im start

When the Incident Management (rsa-im) service is running follow Step C below to re-hash the password into the configuration file, mongoDbConfig.json
 


C. Change the im account password in the Security Analytics UI


With the Incident Management (rsa-im) service running.

  1. In the Security Analytics UI, navigate to Administration -> Services.
  2. Select the Incident Management service, click on the Actions button, and select View -> Explore.
  3. In the directory tree, navigate to Incident Management -> Service -> configuration -> database.
  4. Change the value for Password to the new password created in the previous step A.
  5. Restart the Incident Management service with the command below to reflect the change.
    • In the Security Analytics UI, navigate to Administration -> Services.
    • Select the Incident Management service, click on the Actions button, and select Restart.

User-added image
 

If you are unsure of any of the steps above or experience any issues, contact RSA Support, and quote this article number for further assistance.
NotesTo verify that the new password entered into the UI matches that of the database.
  1. The rsa-im service will be able to start.
  2. Navigate to Incidents -> Alerts within the RSA Security Analytics UI.  If new Alerts appear and the content is displayed as expected, then the password change was successful.

Attachments

    Outcomes