Article Content
Article Number | 000029282 |
Applies To | RSA Product Set: Security Analytics RSA Product/Service Type: Security Analytics Server RSA Version/Condition: 10.4.x, 10.5.x, 10.6.x Platform: CentOS O/S Version: EL6 Component Name: Puppet |
Issue | For instances where the SA server fails to automatically discover a new host (e.g. RMAd appliance), even after performing the "Remove and Repurpose Host" feature in Administration \ Appliances (SA 10.4.X) or Administration \ Hosts (SA 10.5.X and later) and after KB #000035266 - How to Decomission a Host from the Puppet Trust Model has been performed. 10.4 Discover Feature - https://community.rsa.com/docs/DOC-1344 10.5 Discover - https://community.rsa.com/docs/DOC-56512 10.6.3 Discover - https://community.rsa.com/docs/DOC-74171 |
Tasks | This article provides the manual procedure for adding appliance without using the RSA NetWitness/Security Analytics UI discover feature. |
Resolution | Note: It is often more productive to change the puppet node_id using KB #000034305 -http://https://community.rsa.com/docs/DOC-61938https://community.rsa.com/docs/DOC-61938 and reboot the appliance OS and perform 'service mcollective restart' on SA server to allow Discover to occur. On the NetWitness Head Unit Server which hosts the puppet MongoDB 1. Display the nodes To display a particular nodes' services: Syntax showing only the _id, node and classes fields: > db.nodes.find({ "node":"<node_id>" },{ "classes":1, "node":1 }) Example output: # mongo puppet 2. On the new host you want to add, issue the command below. # puppet agent -t If this shows the message: Exiting; no certificate found and waitforcert is disabled On the Host Side check for for PEM file Certificate Signing Request (CSR) ls /var/lib/puppet/ssl/certificate_requests/$(facter -p node_id).pem -l On the puppetmaster side you check it has received the CSR: ls /var/lib/puppet/ssl/ca/requests -ltr On the puppetmaster sign the CSR puppet cert sign <node_id> Example puppet cert sign b93bdb62-b0e4-4141-a03b-dac803da73a7
/etc/puppet/scripts/addNode.py <new_node_id> <ip_address_of_node> /rsa/system Example: /etc/puppet/scripts/addNode.py b93bdb62-b0e4-4141-a03b-dac803da73a7 172.16.1.5 /rsa/system
/etc/puppet/scripts/addService.py <new_node_id> appliance,base,<broker | malware-analysis | decoder | concentrator | logdecoder | logcollector | reporting-engine | malware-analysis-colo> Example: /etc/puppet/scripts/addService.py b93bdb62-b0e4-4141-a03b-dac803da73a7 concentrator,base,appliance,logdecoder Note: All hosts typically have the 'base' modules and all physical appliances also have the 'appliance' module. 5. On the Host reboot the Operating System (OS). If you can't restart the OS, run 'puppet agent -t' Stop services in upstart declare -a services_to_stop=( $(find /etc/init \( -name "nw*" -o -name "rsa*" \) -type f -exec basename {} \; | sed 's/.conf$//g' | grep -v -E "(bad|disable|old)" | sort -r) ) Restart/Reboot OS shutdown -r now 6. Add Host to Administration \ Appliances (SA 10.4.X) or Administration \ Hosts (SA 10.5.X and later) 7. Add Services to Administration \ Services |