000029959 - Unable to add a certificate to the trust store of an RSA Security Analytics Log Collector because of empty subject name

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000029959
Applies ToRSA Product Set: RSA Security Analytics
RSA Product/Service Type: Log Collector, Security Analytics UI, Security Analytics Server
RSA Version/Condition: 10.3.x, 10.4.x, 10.5.0.0
 
IssueThe following issue has been observed trying to integrate Windows Event Sources (Eg. using WinRm) to LogCollector/Virtual Log Collector (VLC)/RSA appliance.
  • Unable to add an event source certificate to the trust store of Log collector if a certificate has an empty subject name.
  • All previously added event source certificates disappeared from the Log collector UI.
A newly added certificate in the Log collector under Config -> Settings tab -> Certificates does not show up on a list of certificates despite "the certificate added successfully" message. Not that the PEM file of the new certificate is created and seen on the system drive in the directory /etc/netwitness/ng/truststore/.
Also, after the VLC config page reload, all previously added certificates disappear from the UI, and no other certificates can be added or selected for the log source configuration. 
When this occurs, the following exception appears in sa.log:
2015-03-27 11:07:14,731 [qtp1771963699-23912] ERROR org.atmosphere.handler.ReflectorServletProcessor - onRequest()
org.springframework.web.util.NestedServletException: Request processing failed; nested exception is com.rsa.smc.sa.common.exception.MessagingException: Failed to process message certmgmt for /logcollection  com.rsa.netwitness.carlos.transport.TransportException: No such node (certs) 

The same error "No such node (certs)" appears when list certificates via REST:


[root@vlc truststore]# curl -u admin:netwitness -H "Content-Type: application/octet-stream"  'http://192.168.12.115:50101/logcollection?msg=certmgmt&op=list'
<?xml version="1.0" encoding="utf-8"?>
<error>400 Bad Request: No such node (certs)</error> 

The issue does not  interfere with windows log collection itself. 

CauseThe issue is caused when a certificate contains a blank subject name.
Although the Subject name is dictated by SSL/TLS rules, Security Analytics does in fact require by mandate that a Subject Name to be used.  
ResolutionUse a subject line in all certs that are created for use with Security Analytics.  
To remove a cert that does not contain a subject line, follow the workaround section to remove it.  
Regenerate the certificate with a subject line, then add it to Security Analytics again.
WorkaroundTo revert the certificate that does not contain a subject line, delete the failed certificate from the log collector:
  1. Navigate to the Explore view of the Log collector. Right-click on the /logcollection node and select Properties.
  2. In the lower pane, select certmgmt from the drop down menu. In the Parameters box enter (without quotes) and press Send
Note: The <trusted store name> is a trust store name specified while adding a certificate. If not sure about the name check a filename of PEM file under /etc/netwitness/ng/truststore/ on the Log collector. 
To find the actual certificate stored on the LC please run cat /etc/netwitness/ng/logcollector/runtime/certificatemap:
                    cat /etc/netwitness/ng/logcollector/runtime/certificatemap
                                      {
                                               "win2008": {
                                               "name": "win2008",

"name": "win2008", win2008 is exactly the name you must put into the box as name parameter 

Ex.                    "op=delete name=win2008"           (without quotes)


In the response box a message that the certificate has been deleted will appear. 
From the logcollector/VLC
stop nwlogcollector && start nwlogcollector
From the shell of SA head appliance run :


stop jettysrv && start jettysrv

Attachments

    Outcomes