000029233 - Health and Wellness collectd error "Could not find trusted session id in hello response" in RSA Security Analytics 10.4

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029233
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics UI, Health and Wellness, Security Analytics Server
RSA Version/Condition: 10.4.0.0, 10.4.0.1, 10.4.0.2
Platform: CentOS
Platform (Other): collectd
O/S Version: EL6
IssueWhen checking the nodes which are experiencing the problem, a message similar to that below  is seen in /var/log/messages:
 
group=Administrators&cert=%2Fvar%2Flib%2Fpuppet%2Fssl%2Fcerts%2F1e652ffe-783d-4d56-92d4-fcd04298316e.pem&key=%2Fvar%2Flib%2Fpuppet%2Fssl%2Fprivate_keys%2F1e652ffe-783d-4d56-92d4-fcd04298316e.pem

Oct 12 22:08:15 LogHybrid-90 collectd[1939]: NgNativeReader_NwLogCollector-FastUpdate: nwsdk failure: NwOpen returned 0; code 0; error: Could not find trusted session id in hello response

Oct 12 22:08:15 LogHybrid-90 collectd[1939]: NgNativeReader_NwLogCollector-FastUpdate: failed to connect to device: failed to connect to nws://admin@localhost:56001/?group=Administrators&cert=%2Fvar%2Flib%2Fpuppet%2Fssl%2Fcerts%2F1e652ffe-783d-4d56-92d4-fcd04298316e.pem&key=%2Fvar%2Flib%2Fpuppet%2Fssl%2Fprivate_keys%2F1e652ffe-783d-4d56-92d4-fcd04298316e.pem

Note that this indicates a Certificate related issue (hello response and .pem extension are keys to this error)
ResolutionTo rectify this issue, ssh to the node that is experiencing the issue and login as root, then follow the set of directions specific to your device type below:
For concentrators, decoders and hybrids:
1. cd /etc/netwitness/ng/(service name)/trustpeer, then backup and remove the certificate for every service.
2. Run puppet agent -t to recreate the certificates again.
3. Check  /etc/netwitness/ng/(service name)/trustpeer if the certificates is recreated .
4. If the certificate fails to create, refer to solution  (000029232) and rectify whether this specific services runs under the puppet master mongo DB
For ESA, Malware, IM appliances:
1. cd /opt/rsa/carlos and backup and remove the certificate for every service.
2. Run puppet agent -t to recreate the certificates again.

3. Check  /etc/netwitness/ng/(service name)/trustpeer if the certificates is recreated .

4. If the certificate fails to create, refer to solution  (000029232) and rectify whether this specific services runs under the puppet master mongo DB

At this point, check the the logs, the issue should be resolved.

Attachments

    Outcomes