|Applies To||RSA Product Set: RSA Security Analytics|
RSA Product/Service Type: Log Collector, Security Analytics UI, Security Analytics Server
RSA Version/Condition: 10.3.x, 10.4.x, 10.5.0.0
|Issue||The following issue has been observed trying to integrate Windows Event Sources (Eg. using WinRm) to LogCollector/Virtual Log Collector (VLC)/RSA appliance.|
Also, after the VLC config page reload, all previously added certificates disappear from the UI, and no other certificates can be added or selected for the log source configuration.
When this occurs, the following exception appears in sa.log:
2015-03-27 11:07:14,731 [qtp1771963699-23912] ERROR org.atmosphere.handler.ReflectorServletProcessor - onRequest()
org.springframework.web.util.NestedServletException: Request processing failed; nested exception is com.rsa.smc.sa.common.exception.MessagingException: Failed to process message certmgmt for /logcollection com.rsa.netwitness.carlos.transport.TransportException: No such node (certs)
The same error "No such node (certs)" appears when list certificates via REST:
[root@vlc truststore]# curl -u admin:netwitness -H "Content-Type: application/octet-stream" 'http://192.168.12.115:50101/logcollection?msg=certmgmt&op=list'
<?xml version="1.0" encoding="utf-8"?>
<error>400 Bad Request: No such node (certs)</error>
The issue does not interfere with windows log collection itself.
|Cause||The issue is caused when a certificate contains a blank subject name.|
Although the Subject name is dictated by SSL/TLS rules, Security Analytics does in fact require by mandate that a Subject Name to be used.
|Resolution||Use a subject line in all certs that are created for use with Security Analytics. |
To remove a cert that does not contain a subject line, follow the workaround section to remove it.
Regenerate the certificate with a subject line, then add it to Security Analytics again.
|Workaround||To revert the certificate that does not contain a subject line, delete the failed certificate from the log collector:|
Note: The <trusted store name> is a trust store name specified while adding a certificate. If not sure about the name check a filename of PEM file under /etc/netwitness/ng/truststore/ on the Log collector.
To find the actual certificate stored on the LC please run cat /etc/netwitness/ng/logcollector/runtime/certificatemap:
"name": "win2008", win2008 is exactly the name you must put into the box as name parameter
Ex. "op=delete name=win2008" (without quotes)
In the response box a message that the certificate has been deleted will appear.
stop jettysrv && start jettysrv