000030713 - 'Entitle Service' fails with "<service_name> has already been licensed" although the service appears to be unlicensed in RSA Security Analytics 10.3.x and 10.4.x.

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000030713
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Log Decoder, Packet Decoder, Concentrator, Broker, Archiver, Security Analytics UI
RSA Version/Condition: 10.3.x, 10.4.x
Platform: CentOS
O/S Version: EL5, EL6
IssueA service appears as unlicensed in RSA Security Analytics 10.3.x or 10.4.x UI as shown in the screenshot below.
User-added image
Entitle Service attempt fails with <service_name> has already been licensed as shown below.
User-added image
Upload Trial fails with Applying trial license failed as shown below.
User-added image
It is noticed that opening the System, Stats, Config, Explore, Logs or Security page for the affected services return Service <ip_address> host <service_name> is unreachable as show in the below example.
User-added image
The /var/log/messages of the Security Analytics server reports the following error when the above error messages are displayed.
Jul  6 23:58:50 decoder nw[1753]: [Login] [audit] Failed login attempt for nonexistent user 'xxx' from [::ffff:<sa_server_ip_address>]:43676

This issue is seen on Security Analytics 10.3.x core services that are managed by 10.3.x or 10.4.x Security Analytics server.
 
CauseThe issue occurs when a user logs on to Security Analytics UI with a system user account (e.g. a custom administrator account such as saadmin) that does not exist under the affected 10.3.x services.
As described in RSA Security Analytics 10.3 User Guide, all other users (other than the default admin account) of Security Analytics must have a system user account and a device user account. If a non-admin user needs to access a particular device through Security Analytics, the credentials used to authenticate with Security Analytics (for both external and local users) must match the credentials used to authenticate against the device.
Without creating the corresponding device user account first, the logged on user cannot log in to the service and encounter the mentioned errors.
 
ResolutionThe issue can be resolved by following one of the two options below.
  • Add a new device user with the username that matches to the system user account to all of the affected services. Refer to RSA Security Analytics 10.3 User Guide for the detailed instructions.
  • Log in to Security Analytics UI using the default admin account to entitle the services. If a custom administrator account will be used to manage the Security Analytics environment, it is strongly recommended to apply the first option.

Attachments

    Outcomes