000034401 - How to handle when a component is failing to authenticate(handshake failure) after install in RSA Web Threat Detection 6.0

Document created by RSA Customer Support Employee on Mar 30, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000034401
Applies ToRSA Product Set: Web Threat Detection
RSA Product/Service Type: Forensics
RSA Version/Condition: 6.0
Platform: Linux
IssueTLS handshake failures are seen in Syslog and this affects the named component in the logs
Actual customer case -- After 6.0 installation, Silverplex is failing authentication.  Here is an example of a handshake error on the Silverplex component:
Oct 27 15:59:23 slcst21a silverplex[81959]: [info] back [T11 st::tls::Server::MasterRunnable] [tls server 1] Accepted connection from
Oct 27 15:59:23 slcst21a silverplex[81959]: [info] back [T6 st::task::QueueRunner] [st::tls::ServerHandshaker]
[handshaker 1.6] [session 29309] TLS handshake on 8
Oct 27 15:59:23 slcst21a silverplex[81959]: [error] back [T6 st::task::QueueRunner] [st::tls::ServerHandshaker] [handshaker 1.6] [session 29309] TLS handshake error: Decryption has failed.
Oct 27 15:59:23 slcst21a silverplex[81959]: [info] back [T6 st::task::QueueRunner] [st::tls::ServerHandshaker] [handshaker 1.6] [session 29309] Closing TLS session on 8 Oct 27 15:59:26 slcst21a rsyslogd-2177: imuxsock lost 143243 messages from pid 81641 due to rate-limiting

TasksThe FRI CS Engineer should arrange a Webex session with the Customer to look at Varz (to see what components are showing failures) and Syslogs. 

ResolutionTLS handshake issues usually means an issue with the SSL Cert keys. There is an approach that may go in different directions, here are important points in your investigation. 
  • Most processes use the SilverTail cert and key for different things-- passwords, shard encryption, interprocess communication. It may be best to restart all the services. Note -- Scout is used for interbox processes, so make sure this component is restarted first.
  • Get an understanding of the Customer system architecture, which components are located on each server. 
  • Review /var/log/messages to check for TLS handshake errors and identify the components that are having these errors. 
  • Use md5sum command to make sure cert and key are the same on the servers that have failing components.
  • Use Varz to see which components are connecting and passing messages and which are not. 
Note -- With this type of issue, especially if this a new installation, there may be layers of issues. For example, when a Certificate is properly replaced, a permissions issue may be revealed. 
NotesNote to communicate to Customers - "If this installation was performed by Professional Services and their engagement has not yet ended, please get in touch with the PS Engineer on the implementation project to resolve these issues."