|Applies To||RSA Product Set: Archer, Security Management, NetWitness|
RSA Product/Service Type: Security Operations Management (SecOps) & NetWitness 10.6.x
RSA Version/Condition: 1.2 and Newer
|Issue||RSA Security Analytics Incident Management (SAIM) endpoint between the Windows Host UCF and the RSA NetWitness Platform keeps going down intermittently. |
24 Oct 2016 00:12:46,501 | ERROR - SaimAmqpServiceJob.tryStartRabbitConnection(171) | Failed to start the SAIM Service Job with error: java.net.SocketException: Software caused connection abort: recv failed. Please verify if the rabbitmq service is running in the Security Analytics box. Will retry again later.
29 Oct 2016 00:03:45,942 | ERROR - TcpNioConnection.readPacket(489) | Exception on Read rsaconnection.example.com:36133:1515:d18bf8c0-ced0-450e-9b6c-e5fdafd55bbe An established connection was aborted by the software in your host machine
29 Oct 2016 00:03:45,942 | WARN - TcpConnectionSupport.doPublish(383) | No publisher available to publish TcpConnectionCloseEvent [source=org.springframework.integration.ip.tcp.connection.TcpNioSSLConnection@53498ed2], [factory=unknown, connectionId=rsaconnection.example.com:36133:1515:d18bf8c0-ced0-450e-9b6c-e5fdafd55bbe] **CLOSED**
29 Oct 2016 00:03:47,206 | WARN - SimpleMessageListenerContainer$AsyncMessageProcessingConsumer.logConsumerException(1208) | Consumer raised exception, processing can restart if the connection factory supports it
|Cause||UCF incorrectly appends its certificate to the "truststore.pem" certificate of RabbitMQ on the NetWitness head unit. It should be appending to "ca.pem" instead. Puppet Agent could push updates to the "truststore.pem" certificate for many reasons. Some examples are (but not limited to):|
Note: The following KB corrects the guidance given in the RSA SecOps documentation (RSA Archer Security Operations Management Installation and Configuration Guide/RSA Archer Integration Guide) will lead to issues.
The file referenced keystore.crt.pem should have been rootcastore.crt.pem
The real problem command is this one which will likely append a Windows text file to a Linux file and update the truststore.pem in the puppet recipe used by all 10.6.x NetWitness Hosts:
cat keystore.crt.pem >> /etc/puppet/modules/rabbitmq/files/truststore.pem
|Workaround||If you are running NetWitness 11.x then please refer to the KB #000036450 - The command "orchestration-cli-client --update-admin-node" fails while trying to import certificates in RSA NetWitness Logs & Network|
For NetWitness 10.6.x follow the steps below to resolve the issue.