Archer Integ: Troubleshoot RSA Archer Integration

Document created by RSA Information Design and Development on Jul 25, 2016
Version 1Show Document
  • View in full screen mode
 

This section provides resolutions to common problems that you may encounter while configuring Archer SecOps 1.2 or Archer SecOps 1.3 with Security Analytics Incident Management. 

Setting the CA Truststore

Problem: After adding the endpoint for Security Analytics Incident Management, the CA truststore fails to set.

Resolution: 

  1. Ensure that the SSH credentials for the Security Analytics host are valid.
  2. If the credentials are correct, but the error still occurs, Manually Copy Certificates.

Manually Copy Enterprise Management Certificates

If certificates were not automatically copied, you can manually copy the certificates.

  1. Copy the certificate keystore-em.crt from the UCF machine at the following location:
    <install_dir>\SA IM integration service\cert-tool\certs to the Security Analytics server at /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.31-1.b13.el6_6.x86_64/jre/lib/security.
  2. Log on to the machine that has RSA Security Analytics installed.
  3. Go to the location where the SA truststore certificate is copied:
    cd /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.31-1.b13.el6_6.x86_64/jre/lib/security
  4. Run the following command:
    keytool -import -alias ucfcert -keystore cacerts -filekeystore-em.crt.der

Note:  If you copied the certificates because adding the Enterprise Management endpoint failed, you must add the endpoint again without automatically copying the certificates. See Configure Endpoints in RSA Unified Collector Framework in Configure Security Analytics to Work With Archer.

Security Analytics Incident Management Certificates

If certificates are not automatically copied, you can manually copy the certificates.

  1. Copy the certificate keystore.crt.pem from the UCF machine at <install_dir>\SA IM integration service\cert-tool\certs to the Security Analytics server at a path/tmp.
  2. Log on to the machine that has RSA Security Analytics installed.
  3. Go to /tmp.
  4. To append the UCF certificate to Security Analytics RabbitMQ, enter the following:
    cat keystore.crt.pem >>
    /etc/puppet/modules/rabbitmq/files/truststore.pem
  1. Enter the following:
    >puppet agent -t
  1. Once the agent completes, exit the connection manager.

  2. Restart RSA Unified Collector Framework service from services.msc.

  3. Run Connection Manager again to continue with the SA endpoints configuration.

Incidents in RSA Archer Security Operations Management Solution

Problem: Findings and Security Incidents do not appear in RSA Archer Security Operations Management solution.

Resolution: 

  1. Confirm that the time on your middleware system and the RSA Archer Platform are synchronized or with a difference of no more than one second.
  2. Verify that the endpoint is configured correctly.
  3. Confirm that the UCF is set to the appropriate mode.
    • For Findings, you should select to manage the incident workflow in RSA Security Analytics.
    • For Security Incidents, you should select to manage the incident workflow in RSA Archer Security Operations Management.
  4. SSH to the SA web server host and enter the following command to verify that the RSA Archer incident queue (im.archer_incident_queue) is created:

    curl -k -u guest:guest

    https://127.0.0.1:15671/api/queues/%2Frsa%2Fi

    m%2Fintegration/im.archer_incident_queue --

    silent --stderr - | grep -o '"name"\:.*

    Note: If the queue is created, the output reads as follows:

    "name":"im.archer_incident_

    queue","vhost":"/rsa/im/integration","durable

    ":true,"auto_delete":false,"arguments":

    {},"node":"sa@localhost"}

  5. SSH to the SA web server host and enter the following command to verify that the RSA Archer tickets queue (im.archer_tickets_queue) is created:

    curl -k -u guest:guest

    https://127.0.0.1:15671/api/queues/%2Frsa%2Fi

    m%2Fintegration/im.archer_tickets_queue --

    silent --stderr - | grep -o '"name"\:.*'

    Note: If the queue is created, the output reads as follows:

    "name":"im.archer_tickets_

    queue","vhost":"/rsa/im/integration","durable

    ":true,"auto_delete":false,"arguments":

    {},"node":"sa@localhost"}

  6. SSH to the SA web server host and enter the following command to check the number of messages in the incident queue:

    curl -k -u guest:guest

    https://127.0.0.1:15671/api/queues/%2Frsa%2Fi

    m%2Fintegration/im.archer_incident_queue -- silent --stderr - | grep -o '"messages"\:[0-

    9]*'

  7. Note: If the queue is created, the output reads as follows: "messages" : 5

  8. Confirm the above queues are populated with messages from the UCF.

Remediation Tasks in RSA Archer Security Operations Management

Problem: Remediation Tasks being pushed to the Operations queue through the UCF are not appearing in RSA Archer Security Operations Management as Findings. 

Resolution:

  1. Open the Connection Manager:
    • Open a command prompt
    • Change directories to <install_dir>\SA IM integration service\data-collector.
    • Type: runConnectionManager.bat
  2. Enter 2 for Edit Endpoint.
  3. Enter 3 for Security Analytics Incident Management.
  4. Ensure the Target Queue is set to All or Operations.

Errors between RSA Security Analytics and RSA Unified Collector Framework

Problem: In the <install_dir>\SA IM integration service\logs\collector.log, there are SSL errors between RSA Security Analytics and RSA Unified Collector Framework.

Resolution:

  1. Verify that the SSL certificates are valid.
  2. Note: Security Analytics Incident Management certificates are valid for two years. 

  3. If your certificates are expired, regenerate and copy the expired certificates.

To regenerate and copy the certificates, do the following:

  1. In Command Prompt, go to <install_dir>\SA IM integration service\data-collector.
  2. Type: runConnectionManager.bat
  3. Enter the number for Regenerate Security Analytics Incident Management Integration Service Certificate.

  4. In the Security Analytics Incident Management endpoint in Connection Manager, enter the number for Edit Endpoint.

  5. Enter Yes to copy the certificates automatically to the Security Analytics trust store.

Note: If certificates fail to copy, manually copy the certificates.

You are here: Troubleshoot RSA Archer Integration

Attachments

    Outcomes