|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: Malware Analysis
RSA Version/Condition: 10.4.1.1
O/S Version: EL6
|Issue||The Sandbox module in the Malware Analysis tool is not populating with any numbers. The following error message is seen in spectrum|
2015-11-02 14:39:30,358 [nextGenEventExecutor-18(ModuleTask@2b4e6e5f <IP_Address>:56003/65503783756)]
ERROR com.netwitness.api.services.result.EvaluationContext -
Exception raised while evaluating event 65503783756 : java.security.ProviderException: java.security.KeyException
|Cause||This errors occurs when the installed Java version is not correct.|
|Resolution||To resolve the error, download the correct version of Java associated with that specific version of Security Analytics by following the instructions below.|
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.
- Download the correct Java rpm package, java-1.7.0-openjdk-22.214.171.124-126.96.36.199.el6_6.x86_64.rpm from the Red Hat Customer Portal.
- Stop the rsaMalwareDevice service:
- Install the rpm package:
rpm -ivh java-1.7.0-openjdk-188.8.131.52-184.108.40.206.el6_6.x86_64.rpm --force
- Once this has been completed, remove the Java version that is installed and causing the error on the Malware Analysis module:
rpm -evh java-1.7.0-openjdk-220.127.116.11-18.104.22.168.el6_7.x86_64
- Connect to the Security Analytics server via SSH as the root user.
- Modify the file /etc/puppet/modules/java/manifests/init.pp and comment out the line ensure => latest, as shown below.
ensure => installed,
#ensure => latest,
When specifying latest, Puppet installs a package if absent and upgrades the package to a newer version when they become available. In this instance, an older version needs to be installed so the ensure command is commented out. This prevents the Java package from reverting back to its original version and uses the version that is currently installed.
- Perform a puppet catalog run on the Malware Analysis appliance.
puppet agent -t
- Start the rsaMalwareDevice service again.
|Workaround||Sometimes just having a package present isn't enough. You also want to ensure it stays up to date. By specifying latest, Puppet will install a package if absent and upgrade the package to newer versions when they become available. This last part is where latest differs from installed.|