000029282 - Manually adding RSA NetWitness Host to the trust model

Document created by RSA Customer Support Employee on Jun 21, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000029282
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics Server
RSA Version/Condition: 10.4.x, 10.5.x, 10.6.x
Platform: CentOS
O/S Version: EL6
Component Name: Puppet
IssueFor instances where the SA server fails to automatically discover a new host (e.g. RMAd appliance), even after performing the "Remove and Repurpose Host" feature in Administration \ Appliances (SA 10.4.X) or Administration \ Hosts (SA 10.5.X and later) and after KB #000035266 - How to Decomission a Host from the Puppet Trust Model has been performed.
10.4 Discover Feature - https://community.rsa.com/docs/DOC-1344
10.5 Discover - https://community.rsa.com/docs/DOC-56512
10.6.3 Discover - https://community.rsa.com/docs/DOC-74171
TasksThis article provides the manual procedure for adding appliance without using the RSA NetWitness/Security Analytics UI discover feature.
ResolutionNote: It is often more productive to change the puppet node_id using KB #000034305 -http://https://community.rsa.com/docs/DOC-61938https://community.rsa.com/docs/DOC-61938  and reboot the appliance OS and perform 'service mcollective restart' on SA server to allow Discover to occur.
On the NetWitness Head Unit Server which hosts the puppet MongoDB
1. Display the nodes
To display a particular nodes' services:
Syntax showing only the _id, node and classes fields:

> db.nodes.find({ "node":"<node_id>" },{ "classes":1, "node":1 })

Example output:
# mongo puppet
TokuMX mongo shell v1.4.2-mongodb-2.4.10
connecting to: puppet
> db.nodes.find({ "node":"b93bdb62-b0e4-4141-a03b-dac803da73a7" },{ "classes":1, "node":1 })
{ "_id" : ObjectId("58da3174a76fc4cb0a000000"), "node" : "b93bdb62-b0e4-4141-a03b-dac803da73a7", "classes" : { "concentrator" : "", "base" : "", "appliance" : "", "logcollector" : "", "logdecoder" : "" } }

2. On the new host you want to add, issue the command below.
# puppet agent -t

If this shows the message:
Exiting; no certificate found and waitforcert is disabled

On the Host Side check for for PEM file Certificate Signing Request (CSR)
ls /var/lib/puppet/ssl/certificate_requests/$(facter -p node_id).pem -l

On the puppetmaster side you check it has received the CSR:
ls /var/lib/puppet/ssl/ca/requests -ltr

On the puppetmaster sign the CSR

puppet cert sign <node_id>

puppet cert sign b93bdb62-b0e4-4141-a03b-dac803da73a7

3. If in Step 1/ you see no node returned, on the puppetmaster run addNode.py
Note: This tool expects puppet service to be running on the host you are adding:

/etc/puppet/scripts/addNode.py <new_node_id> <ip_address_of_node> /rsa/system

/etc/puppet/scripts/addNode.py b93bdb62-b0e4-4141-a03b-dac803da73a7 /rsa/system

4. If you have just run addNode.py or did not see any services listed in classes in Step 1/

/etc/puppet/scripts/addService.py <new_node_id> appliance,base,<broker | malware-analysis | decoder | concentrator | logdecoder | logcollector | reporting-engine | malware-analysis-colo>

/etc/puppet/scripts/addService.py b93bdb62-b0e4-4141-a03b-dac803da73a7 concentrator,base,appliance,logdecoder

Note: All hosts typically have the 'base' modules and all physical appliances also have the 'appliance' module.
5. On the Host reboot the Operating System (OS). If you can't restart the OS, run 'puppet agent -t'

Stop services in upstart

declare -a services_to_stop=( $(find /etc/init \( -name "nw*" -o -name "rsa*" \) -type f -exec basename {} \; | sed 's/.conf$//g' | grep -v -E "(bad|disable|old)" | sort -r) )
for target in "${services_to_stop[@]}"; do $(stop "$target") 2>/dev/null; done

Restart/Reboot OS
shutdown -r now

6. Add Host to Administration \ Appliances (SA 10.4.X) or Administration \ Hosts (SA 10.5.X and later)
7. Add Services to Administration \ Services