000032630 - How to reset or restore the default password for Incident Management Service in RSA NetWitness Logs & Network

Document created by RSA Customer Support Employee on Jun 30, 2016Last modified by RSA Customer Support on Apr 24, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000032630
Applies ToRSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: Incident Management
RSA Version/Condition: 10.5.x, 10.6.x
Platform: CentOS

Platform (Other): MongoDB
O/S Version: 6
IssueThe Incident Management password was changed and now the service will not start because of a mismatch in the password between service and database.
The default password is: im
ResolutionThe following steps will guide the user through the process for changing the Incident Management (IM) database account password if not known.
  1. SSH to the NetWitness Head Unit Server and stop the puppet agent and rsa-im services


# service puppet stop
Stopping puppet agent:                                     [  OK  ]
# service rsa-im stop
Stopping RSA Security Analytics Incident Management :: Server...
Waiting for RSA Security Analytics Incident Management :: Server to exit...
Stopped RSA Security Analytics Incident Management :: Server.


  1. SSH to the ESA host.
  2. Log onto the Mongo DB for Incident Management as the root user by issuing the command below.  


[root@ESA-Server /]# mongo im
TokuMX mongo shell v1.4.2-mongodb-2.4.10
connecting to: im
> db.removeUser('im')


  1. Now that the user has been removed, we can add it back to its default password of: im


> db.getSiblingDB('im').addUser( { user: "im", pwd: "im", roles: ["readWrite", "dbAdmin", "clusterAdmin"] } )


Example Output



> db.getSiblingDB('im').addUser( { user: "im", pwd: "im", roles: ["readWrite", "dbAdmin", "clusterAdmin"] } )
{
        "user" : "im",
        "pwd" : "0458201d5db7c425a30911f60933d6ff",
        "roles" : [
                "readWrite",
                "dbAdmin",
                "clusterAdmin"
        ],
        "_id" : ObjectId("5cb584c377697ab8d3fb90c5")
}


  1. exit Mongo


> exit


  1. SSH to the NetWitness Head Unit Server and restart the rsa-im and puppet services


# service puppet start
Starting puppet agent:                                     [  OK  ]
# service rsa-im start
Starting RSA Security Analytics Incident Management :: Server...


  1. Log into the NetWitness UI and in explore mode of the Incident Management Service, make sure that the password is the same

Administration => Services => <incident_management_service> => Actions => View > Explore => Service \ Configuration \ Database.
You can force the Password value in the right-hand pane to be: im

 



NotesIf you can see the im user already, an alternative method would be to use the changeUserPassword() method

[root@ESA-Server /]# mongo im
TokuMX mongo shell v1.4.2-mongodb-2.4.10
connecting to: im
> db.system.users.find({})
{ "_id" : ObjectId("5cb584c377697ab8d3fb90c5"), "user" : "im", "pwd" : "0458201d5db7c425a30911f60933d6ff", "roles" : [  "readWrite",  "dbAdmin", "clusterAdmin" ] }
> db.changeUserPassword('im','im')
> exit



 

Attachments

    Outcomes