000031847 - RSA Security Analytics Malware Analysis Sandbox is not populating with numbers (Exception raised while evaluating event xxx)

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000031847
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Malware Analysis
RSA Version/Condition:
Platform: CentOS
O/S Version: EL6
IssueThe Sandbox module in the Malware Analysis tool is not populating with any numbers. The following error message is seen in spectrum
2015-11-02 14:39:30,358 [nextGenEventExecutor-18(ModuleTask@2b4e6e5f <IP_Address>:56003/65503783756)] 
ERROR com.netwitness.api.services.result.EvaluationContext -
Exception raised while evaluating event 65503783756 : java.security.ProviderException: java.security.KeyException
CauseThis errors occurs when the installed Java version is not correct.
ResolutionTo resolve the error, download the correct version of Java associated with that specific version of Security Analytics by following the instructions below.
  1. Download the correct Java rpm package, java-1.7.0-openjdk- from the Red Hat Customer Portal.
  2. Stop the rsaMalwareDevice service:
    stop rsaMalwareDevice

  3. Install the rpm package:
    rpm -ivh java-1.7.0-openjdk- --force

  4. Once this has been completed, remove the Java version that is installed and causing the error on the Malware Analysis module:
    rpm -evh java-1.7.0-openjdk-

  5. Connect to the Security Analytics server via SSH as the root user.
  6. Modify the file /etc/puppet/modules/java/manifests/init.pp and comment out the line ensure => latest, as shown below.
    package {
    "java-1.7.0-openjdk" :
    ensure => installed,
    #ensure => latest,

    When specifying latest, Puppet installs a package if absent and upgrades the package to a newer version when they become available.  In this instance, an older version needs to be installed so the ensure command is commented out.  This prevents the Java package from reverting back to its original version and uses the version that is currently installed.
  7. Perform a puppet catalog run on the Malware Analysis appliance.
    puppet agent -t

  8. Start the rsaMalwareDevice service again.
    start rsaMalwareDevice

If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.
WorkaroundSometimes just having a package present isn't enough.  You also want to ensure it stays up to date. By specifying latest, Puppet will install a package if absent and upgrade the package to newer versions when they become available. This last part is where latest differs from installed.