000028094 - Cannot use Security Analytics 10.3 services with NetWitness Informer 2.0.5.6

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000028094
Applies ToRSA Security Analytics
RSA Security Analytics 10.3
RSA NetWitness Informer
RSA NetWitness Informer 2.0.5.6
IssueCannot use Security Analytics 10.3 services with NetWitness Informer 2.0.5.6.
After upgrading to Security Analytics 10.3.x, Informer is no longer able to use the concentrator or broker as a Data Source.
InformerService.log contains the following Exceptions in GetSessionDBRange & RunAlert:
2014-01-14 00:34:16.9740 (InformerUtils) Exception in GetSessionDBRange - SDK indicated an error occurred calling NwSession
2014-01-14 00:34:17.0208 (AlertWorker) Exception in RunAlert - Server must be busy as Informer has received a session ID range of [1,0]. Alerts cannot be run at this time.
2014-01-14 00:35:42.4271 (HandleWatcher) Connection check failed because connect failed with error "a connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond" ... the engine will try to reconnect until a valid connection to a NetWitness data source is made.
2014-01-14 00:35:45.9896 (AgentJob) NetWitness Informer Engine has lost its connection. The service will attempt to reconnect until a valid connection can be made.

 
Resolution

The cause is due to a change in the Authentication method.
The workaround is to replace cnwsdk.dll with NetWitness 9.8.5.15 C SDK file (x32 DLL) or later. Attached is DLL from 9.8.5.17 SDK.
1) Download a63918_cnwsdk.zip from this KB article and copy to the filesystem somewhere on the Informer Appliance. Extract a63918_cnwsdk.dll from the zip file and rename file to cnwsdk.dll
2) Stop the NetWitness Informer Service
3) Navigate to the Informer Service directory which is located here C:\Program Files\NetWitness\NetWitness Informer Service
4) Make a backup copy of the current file called cnwsdk.dll
5) Overwrite the cnwsdk.dll with the file downloaded in Step 1
6) Start the Informer service


 

Download cnwsdk.dll from here: a63918_cnwsdk.zip

Legacy Article IDa63918

Attachments

    Outcomes