Licensing: Troubleshoot

Document created by RSA Information Design and Development on Mar 22, 2017Last modified by RSA Information Design and Development on Apr 5, 2017
Version 3Show Document
  • View in full screen mode
  

This topic provides information about possible issues that Security Analytics users may encounter when setting up licensing in  Security Analytics. Look for explanations and solutions in this topic. Security Analytics notifies users of issues using the popup notifications and the system log as described in the Troubleshoot Security Analytics topic in the System Maintenance Guide.

Simple Error Notification about a Problem with a License

If there is a problem with the license you are attempting to install, Security Analytics provides feedback in the form of a simple error notification and a log entry.

Common Log and Configuration Files

When troubleshooting licensing, the following files contain information that may help to diagnose the problem. Specific conditions for searching the files are described in the troubleshooting tables.

On the Security Analytics Server

Security Analytics Server Problems

This table lists possible problems with the Security Analytics server errors that can affect entitlements.

                                        
ProblemPossible CausesSolutions

The Security Analytics server displays the Out-of-Compliance banner message that states,“Your trial license has internal errors. Please contact RSA customer support for help.” 

Ensure that the TokuMX service is running on your Security Analytics appliance.

To resolve the error:

  1. Execute the command service tokumx status from the
    Security Analytics appliance console.
  2. If problem persists, please contact RSA customer support for help.
Some features have been mapped in the central Flexera server, but the Security Analytics server doesn’t display them. Ensure that the Security Analytics server is connected to the internet.

To resolve the error:

  1. Execute a License Refresh as follows:
  2. In Security Analytics, navigate to Administration > Services > Licensing.
  3. Under the Licensing Actions menu, select Refresh Licenses.

Note: If the Security Analytics server is not connected to the internet, try to do an Offline Synchronization.

When you remove a service from Security Analytics, your trial license for that service is also removed.

Various possible causes.

To resolve the error:

Add the service again. Your service will continue to function fully even if a message informs you that the service is in a Not Licensed state.

The Security Analytics server displays the following message when I try to activate a license: "Cannot license this service explicitly."

Services running on Security Analytics Version 10.6 do not require that licenses be activated manually.

To resolve the error:

  1. Execute a License Refresh as follows:
  2. In Security Analytics, navigate to Administration > Services > Licensing.
  3. Under theLicensing Actions menu, select Refresh Licenses.

A few Version 10.6 services are not getting licensed.
 

Ensure that you have the required entitlements pulled down from the Flexera server.

To resolve the error:

  1. Execute a License Refresh as follows:
  2. In Security Analytics, navigate to Administration > Services > Licensing.
  3. Under theLicensing Actions menu, select Refresh Licenses.

License Usage Stats Issues

                            
ProblemPossible CausesSolutions
Security Analytics Licensing page not showing any license information although there are services available. TokuMX server is down or not responding.
  • Check the status of the tokumx server:
    /etc/init.d/tokumx status
  • Start the server if it is down:
    service tokumx start
Actual usage of service is showing no value, not even 0 MB is being displayed. Rabbitmq-server on Security Analytics appliance is not running or is not responding.
  • Check the status of rabbitmq-server and start if it is down:
    /etc/init.d/rabbitmq-server status
    /etc/init.d/rabbitmq-server start

Actual usage of service is always showing 0 MB usage, even though the service/appliance
(for example, LogDecoder or Decoder) is processing data.

Rabbitmq-server or collectd service on appliance (for example, LogDecoder or Decoder appliance) is not running or not responding.

  • Check the status of rabbitmq-server or collectd services:
    /etc/init.d/rabbitmq-server status
    /etc/init.d/collectd status
  • Start the services if not responding or down:
    /etc/init.d/rabbitmq-server start
    /etc/init.d/collectd start

Download Central (DLC) Issues

                                
ProblemPossible Causes
Unable to refresh his licenses from subscribernet. Also unable to download an offline response from DLC. Various possible causes.

Solution

Contact Customer Support for assistance in installing licenses.

Customer unable to login to Download Central. Various possible causes.

Solution

Contact Customer Support for Offline Capability Response file to re-apply license in Security Analytics server. Also reset all licenses from all services.

Licenses were not mapped in DLC. Various possible causes.

Solution

License reset from User Interface resolved the mapping issue.

Wrong License/License Mapping Issues

                                                              
ProblemPossible Causes
Perpetual license appears to be in use, although there is no Service-based license. The Security Analytics entitlement database contains an object that holds the entitlement for a service that is licensed to the Security Analytics server.

Solution

  1. From the Security Analytics menu, select Administration > System > Licensing > Overview.
  2. SSH into the Security Analytics server as root.
  3. Connect to the entitlement database using the following command:
    mongo sa 
  4. Check the current entitlement status as follows:
    db.entitlement.find()
    From the output, note the ObjectId for the services that appear to use Trial licenses.

  5. Remove the ObjectId for the missing endpoint that appears in/var/lib/netwitness/uax/logs/sa.log.
    db.entitlement.remove( {_id: ObjectId("<ObjectId>") } )
    For example:
    db.entitlement.remove( { _id: ObjectId("5595c9a9f2806lac50735xxx") } )

  6. Repeat Step 5 for all missing ObjectIds, as well as the ones noted in Step 4.

  7. Type exit to close the database.

  8. From the Security Analytics User Interface, select the Licensing Actions menu and select Refresh Licenses.

  9. Once the Refresh process completes, confirm that the services are entitled with the Perpetual licenses.

Decoder license not available
due to core appliances being removed from the Security Analytics server without releasing the license. Several core appliance licenses were not available for use.

Various possible causes. 
 

Solution

Reset license on Security Analytics server and re-license each appliance.

Archiver DACs are not mapped to the license server with all other appliances' licenses. 

Various possible causes. 

 

Solution:

  1. Enter 1 in Quantity field to add for each license.
  2. Select Map Add-ons at the bottom of the screen.
  3. Click on Download Capability Request and upload license to the Offline Capability Request in the User Interface under the License tab.

Two new appliances were installed: Log Hybrid and one Log Archiver. Able to license the Log Hybrid, but the following error occurred when attempting to license the Archiver:
"There is an issue with registering your product, please contact RSA Customer Support."
Also, one of the Concentrators showed as a Trial license, and a separate Log Decoder showed as a Trial license when they should be licensed.

After looking into Flexera, Customer Support found that the new equipment had not been mapped to the License Server.

Solution

Map add ons to DLC and upload the .bin file into the Security Analytics User Interface.

Mapping to License Server ID was not created. 

Various possible causes.

Solution

Licenses must be re-entitled and status of all appliances is displayed as licensed.

Customer unable to delete Trial licenses when Service-based licenses are in use.

Customer had two different Security Analytics servers for two different sites (CHN and NOI). Each site had separate mapped entitlements. The red compliance banner was seen on the NOI site, because some Concentrators were attached to the NOI Security Analytics server that was entitled by the CHN site.

The reason for the banner was that the NOI Security Analytics server did not have any more concentrator entitlements available for the CHN concentrators attached for investigation. The customer only has Trial licenses for 90 days from the date the NOI Security Analytics server and services were marked as out-of-compliance.
 

Note: When there is more than one Security Analytics server in use, Security Analytics Version 10.6 requires a separate license for each Security Analytics server. Also, if you move one or more appliances to a different location, check to make sure there is a valid license for each appliance. A red out-of-compliance banner is displayed if there is no valid license.

Solution

Customer was informed that their services will continue to function as required. The out-of-compliance banner can be dismissed by procuring additional entitlements to map onto the NOI Security Analytics server.

License missing after re-imaging. Various possible causes. 

Solution

Download license from DLC.

Start Date Issues

                   
ProblemPossible Causes
Start date displays as "Internal Error" under System page for services licensed using SIEM licenses. Various possible causes.

Solution

Change to your old Mac address and restart your FNE server.

You are here
Table of Contents > Troubleshoot Licensing

Attachments

    Outcomes