000034906 - RSA NetWitness Endpoint 4.1.x LIVE Kernel Download failed

Document created by RSA Customer Support Employee on Mar 23, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000034906
Applies ToRSA Product Set: RSA NetWitness Endpoint (ECAT)
RSA Version/Condition: 4.1.x
Platform: Windows
IssueRSA NetWitness Endpoint 4.1.x  fails to download the KernelData.csv file, showing the error LIVE Kernel Download failed.
The ECAT ServerOutput program shows the error,
User-added image

The ConsoleServer-Error.log log file (default directory c:\ECAT\Server) shows the error like,

3/2/2017 10:32:04 AM
[9] System.ComponentModel.WarningException:
 LIVE Kernel Download failed.
[9] System.ComponentModel.WarningException:
 The underlying connection was closed: An unexpected error occurred on a send.
 at System.Net.HttpWebRequest.GetResponse()
 at EConsole.Server.LiveClient.DownloadFile(String host, UInt16 port, String username, String password, String fileName)
 at EConsole.Server.LiveClient.DownloadKernel(Xᝐ ImportKernelUpdateRequest, String& reason)
[9] System.ComponentModel.WarningException:
 Authentication failed because the remote party has closed the transport stream.
 at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
 at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
 at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
 at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
 at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
 at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
 at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
 at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
 at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
 at System.Net.ConnectStream.WriteHeaders(Boolean async)
3/2/2017 10:36:42 AM
[121] System.Net.WebException:
 The request was aborted: Could not create SSL/TLS secure channel.
 at System.Net.HttpWebRequest.GetResponse()
 at a.a.Xᝨ.ᜀ(String A_0, String A_1, UInt16 A_2, NetworkCredential A_3)
 at EConsole.Server.LiveClient.DownloadAndProcessAllResources()


Running the ConsoleServerSync.exe program from another PC with internet access also fails.
User-added image

CauseAs of February 2017, the RSA website (liveecat.rsa.com) where the KernelData.csv file resides has had its security updated to not allow SSL TLS 1.0 connections.
The ECAT 4.1.x software is based on .NET 4.5, which attempts SSL TLS 1.0 connections, and so it can't connect to this website.
ResolutionIt is recommended to upgrade to ECAT 4.2.x and above, as it is based on .NET 4.6 which uses TLS 1.1/TLS 1.2.
Reference: https://blogs.msdn.microsoft.com/dotnet/2016/08/02/announcing-net-framework-4-6-2/
WorkaroundIf upgrading ECAT to 4.2.x is not an immediate option, then the work-around is to add the following registry values:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001

Reference: https://technet.microsoft.com/en-us/library/mt791311(v=office.16).aspx
The registry change needs to be made to the ECAT 4.1.x Server, and to any PC/Server that will run the manual ECAT program, ConsoleServerSync.exe.
Restart the ECAT Server service after making the registry change.
NotesWARNING: Using the Windows Registry Editor incorrectly can cause serious system-wide problems that may require you to re-install software.  Please use this tool cautiously, and at your own risk.