|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: Log Decoder, Packet Decoder, Concentrator, Broker, Archiver, Security Analytics UI
RSA Version/Condition: 10.3.x, 10.4.x
O/S Version: EL5, EL6
|Issue||A service appears as unlicensed in RSA Security Analytics 10.3.x or 10.4.x UI as shown in the screenshot below.|
Entitle Service attempt fails with <service_name> has already been licensed as shown below.
Upload Trial fails with Applying trial license failed as shown below.
It is noticed that opening the System, Stats, Config, Explore, Logs or Security page for the affected services return Service <ip_address> host <service_name> is unreachable as show in the below example.
The /var/log/messages of the Security Analytics server reports the following error when the above error messages are displayed.
Jul 6 23:58:50 decoder nw: [Login] [audit] Failed login attempt for nonexistent user 'xxx' from [::ffff:<sa_server_ip_address>]:43676
This issue is seen on Security Analytics 10.3.x core services that are managed by 10.3.x or 10.4.x Security Analytics server.
|Cause||The issue occurs when a user logs on to Security Analytics UI with a system user account (e.g. a custom administrator account such as saadmin) that does not exist under the affected 10.3.x services.|
As described in RSA Security Analytics 10.3 User Guide, all other users (other than the default admin account) of Security Analytics must have a system user account and a device user account. If a non-admin user needs to access a particular device through Security Analytics, the credentials used to authenticate with Security Analytics (for both external and local users) must match the credentials used to authenticate against the device.
Without creating the corresponding device user account first, the logged on user cannot log in to the service and encounter the mentioned errors.
|Resolution||The issue can be resolved by following one of the two options below.|