000034305 - How to change the puppet node_id on RSA NetWitness Host

Document created by RSA Customer Support Employee on Nov 2, 2016Last modified by RSA Customer Support Employee on May 30, 2017
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000034305
Applies ToRSA Product Set: NetWitness Logs and Packets, Security Analytics
RSA Product/Service Type: Appliances and Virtual Machines
RSA Version/Condition: 10.4.X, 10.5.X, 10.6.X
Component: Puppet Agent, Puppet Master
Platform: CentOS
O/S Version: 6
IssueOccasionally you need to change the puppet node_id which is used to uniquely identify a host in a NetWitness Logs or Packets Server.
This is a common activity if you are cloning a Virtual Log Collector (VLC) Virtual Machine (VM).
Warning: Caution needs to be exercised when performing this on a server which runs the puppet master service as this will likely require that the puppet trust be re-established on all hosts which are managed by the puppet master.
Hosts Affected:
  • NetWitness/SA Server (NetWitness/SA Broker headunit appliance or NetWitness/SA Server VM)
  • All-In-One for Packets (AIO-P) appliances; and
  • All-In-One for Logs (AIO-L) appliances
  1. Change the basic networking (hostname and IP, if necessary) and reboot operating system
  2. Generate a new puppet node_id
  3. Re-trust the service which is typically done in the NetWitness/SA UI (Administration \ Appliances in SA 10.4.X and Administration \ Hosts in SA 10.5.X and later)
Resolution1. Change the basic networking (hostname and IP, if necessary) and reboot operating system

  • If you are running SA 10.6.0 and the puppet trust model is established (i.e. this host appears when you run 'mco ping' on puppetermaster.local) then you can SSH to the SA Server and use /etc/puppet/scripts/sysSetRPC/changePuppetMaster.py - https://community.rsa.com/docs/DOC-43221 this will update the mongo asg db correctly.
    Warning: If changing IP of host then script will reboot OS, if changing IP of server hosting puppetmaster.local, all hosts with trusted services will have their OS rebooted.

  • Otherwise: Run the following script to change basic networking i.e. hostname and IP which will update /etc/hosts, /etc/sysconfig/network and /etc/sysconfig/network-scripts/ifcfg-e*

  • /usr/sbin/netconfig.sh

  • Edit the line containing HWADDR in either /etc/sysconfig/network-scripts/ifcfg-em1 or / ifcfg-eth0 to match the MAC address of the current interface as seen in the following command:

  • ifconfig em1| grep -o "HWaddr .*" | awk '{ print $2 }'

  • Note: If the command produces the following error message (which is common in the case of virtual machines),

  • em1: error fetching interface information: Device not found

  • Then the command should be:

  • ifconfig eth0 | grep -o "HWaddr .*" | awk '{ print $2 }'

  • Edit /etc/puppet/csr_attributes.yaml to update the fqdn and ipaddress values.
  • If you have changed the IP of server hosting puppetmaster.local (and not used changePuppetMaster.py), then the static hostname entry in /etc/hosts for puppetmaster.local may need to be updated.
  • (optional) For cloned VLCs remove the trustpeers for the Log Collector service to avoid issues in creating rabbitmq queues

  • find /etc/netwitness/ng/logcollector -type d -name trustpeers -exec rm -f {} \;

  • Reboot the operating system (using either `shutdown -r now` or simply `reboot`) to use the new networking values
2. Generate a new puppet node_id
mv /var/lib/puppet/node_id /var/log/node_id.old.`date +"%Y%m%d_%H%M"`


This should output new node_id to screen and saves this to /var/lib/puppet/node_id

Use the following command to check that new node_id was generated
cat /var/lib/puppet/node_id

If this was not successful (file either doesn't exist or is empty) you can run the following:
echo "$new_node_id" | tr -d '\r\n' > /var/lib/puppet/node_id

Run the following to make sure puppet.conf is updated correctly:
sed -ri "s/^certname = [a-z0-9\-]+/certname = $new_node_id/" /etc/puppet/puppet.conf

3. Re-trust the service
For the puppet agent run the following:
puppet agent -t --waitforcert 10

Wait until you see the message:
Notice: Did not receive certificate

Navigate to Administration \ Hosts and (if necessary use the Discover button) and Enable the new host.