000017290 - How to monitor an appliance using the CS Status pages in RSA Key Manager Appliance

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000017290
Applies ToRSA Product Set: Data Protection Manager
RSA Product/Service Type: Key Manager Appliance
RSA Version/Condition: RSA Key Manager Appliance 2.5, 2.7.x; RSA Data Protection Manager Appliance 3.1, 3.2., 3.5
 
IssueHow to check status or health of DPM Appliance for troubleshooting purposes?
Where to get the latest version of the DPM Status pages?
ResolutionThe Status pages can be downloaded and installed on each DPM (RKM) appliance for troubleshooting purposes and proactive notifications.

For RSA Key Manager Appliance 2.x, use status pages version 1.x


To install the status pages:
  1. Download the status_1.4.14.tgz attached to this article.
  2. Transfer the file to the RKM appliance using SCP.
  3. Copy the file to /tmp.
  4. Run the following commands:

cd /tmp
gtar -zxvf status_1.4.14.tgz
./status/install.sh


For RSA Data Protection Manager Appliance 3.x (including 3.5.x), use status pages version 2.x


  1. Download status2.5.9.tgz attached to this article.
  2. Transfer the file on the DPM Appliance using SCP and the ftpuser account, in the uploads directory
  3. Run the following commands as the root user

cd /home/ftpuser/uploads
tar zxvf status2.4.47.tgz
./status/install.sh



How to use status pages


  1. Once installed, access the status on browser using following URLs:

  1. After installing, you can also generate a full report in a zip format to send to RSA Customer Support for further assistance, using the steps below:
    1. Log in via SSH.
    2. Run the following script as the root user and follow the steps:
/opt/rsa/setup/sh/cs_get_status.sh


 

  1. You can also run the following command from a single appliance to get the report for all appliances.

/opt/rsa/setup/sh/cs_get_status.sh all


How to configure the Get Key Test


In order to fully leverage the Status Pages proactive notifications you must configure a DPM Test Client provided with the status pages. For this you will need
  1. A FIPS-Compliant PKCS#12 certificate (.p12) file and know its password, calling it getkey_test.p12 in the steps that follows.
  2. The Root CA certificate of the DPM appliance web server TLS certificate, calling it DPMRoot.pem in the steps that follows.

Steps


  1. Transfer your client certificate on the appliance and copy it in /opt/certs 
  2. Set its mode to 644 so it is readable by the tomcat user
chmod 666 /opt/certs/getkey_test.p12 /opt/certs/DPMRoot.pem

  1. Store the PKSC#12 password in the Status Pages lockbox. Run the following command, replacing <password> with the actual PKCS#12 password.
[space] /opt/rsa/setup/sh/cs_lockbox.sh /opt/rsa/cs/secrets put CS_P12PASS <password>

  1. Create a new Identity Group, Identity and Key Class. Log in the DPM Server Administration console (/KMS)
    1. Create a new Identity Group called "HealthCheck"
    2. Create a new Identity called "HealthCheck". Add the public certificate that matches your PKCS#12
    3. Create a new Key Class called "HealthCheck", which is of the type AES, 256 bit, CBC mode, Infinite duration, "Use current key" and "Allow auto-generation
  2. Edit the Get Key Test configuration file at /opt/rsa/cs/getkey.conf with the following details:

ROOTCA=/opt/certs/DPMRoot.pem
P12=/opt/certs/getkey_test.p12
KEYCLASS=HealthCheck


  1. Verify your configuration is correct by hitting the URL https://<yourAppliance>/status/getkey
  2. Review the log file if there are any error, located at /var/log/cs/status.log
NotesThe status pages may be updated as necessary.  If an older version of status pages is already installed and a newer version becomes available, simply follow the same install process as described above and all files will be updated to the newer version accordingly.
If needed, the status pages can be uninstalled using /opt/tomcat/webapps/status/uninstall.sh.
Legacy Article IDa50102

Attachments

Outcomes