000029081 - "Unable to connect to endpoint" is displayed when adding 10.4.x appliances to RSA Security Analytics 10.4

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000029081
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics UI
RSA Version/Condition: 10.4.x
Platform: CentOS
O/S Version: 6
IssueAfter adding a 10.4.x new appliance to the RSA Security Analytics UI, a red error button is displays, which displays the following error message:
Unable to connect to endpoint

Red Error button with error pop-up message.

In addition, clicking the Discover button in the Security Analytics UI has no effect.
CauseThis issue occurs when the puppet certificates have not been properly issued to the appliance.
ResolutionIn order to resolve the issue, the puppet certificates will need to be reissued on the remote appliance by following the steps below.  
  1. Remove the failing appliance from the Security Analytics UI by clicking the Minus ( - ) button and selecting the Remove and Repurpose Appliance option.
  2. Connect to both the failed appliance and the Security Analytics server via SSH.
  3. On the appliance that is being added, issue the following command, then take note of the Node ID:   cat /var/lib/puppet/node_id
  4. On the Security Analytics server, issue the puppet cert list --all command to list all of the certificates known by puppet.
  5. Using the Node ID from Step 3, issue the command puppet cert clean <node_id> to remove the certificate from the SA server.  Perform this step regardless of whether the Node ID is listed from step 3.
  6. Issue the command vi /var/lib/puppet/ssl/ca/inventory.txt and remove the Node ID from Step 3 if it is listed.
  7. On the appliance to be added, issue the following command to remove any previously issued certificates:  rm -rf /var/lib/puppet/ssl
  8. Remove the service-specific certificates depending on what services are running on the appliance by issuing the commands below:
         NOTE: Replace <service> below with the service name, i.e. appliance, broker, concentrator, etc.
    • rm -f /etc/netwitness/ng/<service>/storedproc/*
    • rm -f /etc/netwitness/ng/<service>/trustpeers/*
    • rm -f /etc/netwitness/ng/<service>/truststore/*
  9. On the same appliance, regenerate the certificates by issuing the following command:  puppet agent -t --waitforcert 30
After performing the steps above, move to the Security Analytics UI and click on the Discover button on the Administration -> Appliances screen.  
At this point, the UI should be able to recognize the new appliance as expected.
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.