000029290 - Reports fail to complete and returns "Invalid username or password" when running reports after changing a service password in RSA NetWitness Platform

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support on Aug 27, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000029290
Applies ToRSA Product Set: Security Analytics, NetWitness Logs & Network
RSA Product/Service Type: Reporting Engine, Concentrator, Broker
RSA Version/Condition: 10.x, 11.x
Platform: CentOS
O/S Version: EL6, EL7
 
IssueAfter changing the admin password on any Security Analytics or NetWitness service used as a data source for the Reporting Engine (broker or concentrator), reports fail to complete and instead throw an error similar to the example below in /var/netwitness/re-server/rsa/soc/reporting-engine/logs/reporting-engine.log (NetWitness 11.x) or /home/rsasoc/rsa/soc/reporting-engine/logs/reporting-engine.log (SA 10.x).

Error occurred while fetching data from source 'mybroker[10.20.30.40]'. Error details : 10.20.30.40:56003 received error: Invalid username or password.

/var/log/messages on the source service show an error like below.


Aug 19 23:19:01 mybroker NwBroker[1288]: [Login] [audit] Failed login attempt for user 'admin' from 10.20.30.10:45974, invalid password


 
CauseThe Reporting Engine validates the reporting source by requiring a username and password. This is by design and for security purposes.

This username/password combination is referenced every time a report is run against a specific reporting source. If the password for the device has changed, the reporting source must be removed and re-added, as there is no way to edit the reporting device source after it has been added.
ResolutionTo remove and re-add the data sources in the Reporting Engine, follow the steps below.
  1. In the NetWitness UI, navigate to ADMIN -> Services and for the Security Analytics UI, navigate to Administration -> Services.
  2. Click on the Action icon for the Reporting Engine and select View -> Config.
  3. Click on the Sources tab.
  4. Select the device that is reporting the error and click on the minus (-) sign to remove it.
  5. Click on the add (+) sign and select the device that was just removed.
  6. When prompted, enter the new username and password combination for the device.
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.

Attachments

    Outcomes