000012633 - RSA Archer Security Operations Management (SecOps) solution is no longer receiving alerts from RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000012633
IssueRSA Archer Security Operations Management (SecOps) solution is no longer receiving Alerts from RSA Security Analytics.
Following errors are observed in rsa_connector.log on RSA Connector Framework server (RCF):
Month DD, YYYY H:MM:SS AM/PM com.rsa.connector.framework.components.datastore.archer.ArcherDataStore
WARNING: PERF(Archer DS readRecord invoked)
Month DD, YYYY H:MM:SS AM/PM com.rsa.connector.framework.components.datastore.archer.ArcherWSHelper
WARNING: Can not communicate with Archer. Please check Archer host details, credentials and account permissions. This could be also because of invalid session.
Month DD, YYYY H:MM:SS AM/PM com.rsa.connector.framework.components.datastore.archer.ArcherWSHelper
WARNING: Request is set for retry. Archer Datastore will try again.
Month DD, YYYY H:MM:SS AM/PM com.rsa.connector.framework.components.datastore.archer.ArcherDataStore
SEVERE: Error while getting search ws
com.rsa.connector.framework.components.datastore.archer.exception.ArcherComunicationException: javax.xml.ws.WebServiceException: org.apache.cxf.interceptor.Fault: Response was of unexpected text/html ContentType.  Incoming portion of HTML stream: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>IIS 8.0 Detailed Error - 403.4 - Forbidden</title>
<style type="text/css">
.
.
.
</style>
 
</head>
<body>
<div id="content">
<div class="content-container">
  <h3>HTTP Error 403.4 - Forbidden</h3>
  <h4>The page you are trying to access is secured with Secure Sockets Layer (SSL).</h4>
</div>
<div class="content-container">
 <fieldset><h4>Most likely causes:</h4>
  <ul>     <li>Secure Sockets Layer (SSL) is enabled for the URL requested.</li>     <li>The page request was made over HTTP, but the server requires the request from a secure channel that uses HTTPS.</li> </ul>
 </fieldset>
</div>
<div class="content-container">
 <fieldset><h4>Things you can try:</h4>
  <ul>     <li>Browse to the URL over a secure channel by using the "https:" prefix instead of "http:".</li>     <li>If the Web site does not have an SSL certificate or should not require HTTPS, disable the setting.</li>     <li>Verify the SSL Settings in IIS Manager by connecting to the server, site, application or page and opening the SSL Settings feature.</li>     <li>Verify the configuration/system.webserver/security/access@sslFlags attribute at the server, site, application, or page level.</li> </ul>
 </fieldset>
</div>
 
.
.
.
<div class="content-container">
 <fieldset><h4>More Information:</h4>
  This error means that the requested Web page requires SSL. Try to browse to the same URL, but use "https:" instead of "http:".
  <p><a href="http://go.microsoft.com/fwlink/?LinkID=62293&IIS70Error=403,4,0x80070005,9200">View more information &raquo;</a></p>
  
 </fieldset>
</div>
</div>
</body>
</html>
    at com.rsa.connector.framework.components.datastore.archer.ArcherWSHelper.login(ArcherWSHelper.java:506)
    at com.rsa.connector.framework.components.datastore.archer.ArcherWSHelper.getSessionToken(ArcherWSHelper.java:483)
    at com.rsa.connector.framework.components.datastore.archer.ArcherWSHelper.callArcher(ArcherWSHelper.java:397)
    at com.rsa.connector.framework.components.datastore.archer.ArcherDataStore.readRecord(ArcherDataStore.java:1038)
    at com.rsa.connector.plugin.em.EnterpriseManagementService.onApplicationDataReceived(EnterpriseManagementService.java:117)
    at com.rsa.connector.plugin.em.EnterpriseManagerScheduler.run(EnterpriseManagerScheduler.java:107)
Caused by: javax.xml.ws.WebServiceException: org.apache.cxf.interceptor.Fault: Response was of unexpected text/html ContentType.  Incoming portion of HTML stream: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

 
CauseIssue is caused by a change in IIS communication protocol preference on RSA Archer web services servers. Communication protocol was switched from HTTP to HTTPS (SSL) while RCF was still configured to communicate over HTTP.
 
ResolutionTo fix this issue, Please follow the steps below:
When RCF is installed on the same server as one of RSA Archer web services servers:
***Note: Recommendation is to have RCF installed on a separate server outside of RSA Archer servers. If for some reason RCF is installed on the same server as one of the RSA web services servers, RCF will not be able to communicate with RSA Archer web services APIs via HTTPS (SSL) protocol with 'Localhost' or an 'IP' addressing. HTTPS requires RCF to communicate via server name (FQDN / Hostname) to whom SSL certificate was issued (Issued to: value on the SSL certificate).
Often times, RSA Archer web services servers are behind a Network Load Balancer, FQDN / DNS Name (to whom SSL certificate is issued) for Network Load Balancer may not be accessible over the local network and use of 'Localhost' or an 'IP' will be necessary. ***

When RCF exists on the same server has RSA Archer web services server, suggestions is to use 'localhost' addressing, create a secondary RSA Archer Web application that will allow access to RCF via HTTP protocol and restricts access to the site so that only local system can access the site. There is no need to change RCF endpoint configuration.

When RCF is installed on its own server:
If RSA Archer web services APIs are accessible with Network Load Balancer FQDN / DNS Name via HTTPS protocol (meaning that RSA Archer site is accessible without a certificate error / warning). Please follow the steps below to change RCF endpoint configuration.

1- Log on to RCF server and browse to '\EMC\RSA Connector Framework\plugins\secops'.
2- Locate file named 'endpoint.properties' and take back up of it. Edit this file and scroll down to line # 36, 37 and 41 to observe the existing values. These three lines will represent RSA Archer web services server name, port and the status of SSL enabled / disabled.
3- On Line# 36, change the value of RSA Archer web services server to match the value of FQDN / Hostname that is found in 'Issued to:' field of the SSL certificate on RSA Archer web services server i-e 'secops.archer.host_name=ArcherWebServer.domain.com'.
4- On Line# 37, change the value of port to 443 i-e 'secops.archer.port=443'.
5- On Line# 41, make sure that value is set to enabled i-e 'secops.archer.ssl=Enabled'.
6- Save the changes to the file.
7- Now browse to location '\Install_Dir\EMC\RSA Connector Framework\tools' and locate 'install_cert_Admin.bat' file. Execute this .bat file in a command prompt with following parameters:'install_cert_admin.bat ArcherWebServer.domain.com:443'. Parameters passed in this command represent the values from step# 3 and 4.
8- Restart 'RSA Connector Framework' service from Services Control Manager (service.msc).
9- Test alert generation from RSA Security Analytics to RSA Archer SecOps Solutions.
 
Legacy Article IDa65239

Attachments

    Outcomes