000035551 - Deploying Custom CA Certificates in RSA NetWitness 10.6.3

Document created by RSA Customer Support Employee on Oct 5, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035551
Applies ToRSA Product set: Netwitness Logs and Packets 
RSA  Version: 10.6.3
Platform: CentOS 
O/S version: 6
IssueWhen trying to install a custom server certificate in the user interface the SA server stops working and no errors are shown in the sa.log file. If the certificate alias name contains special characters then the certificates isn't recognize such as {} or []. An example of a bad certificate alias name is as follows {97gf642s-aa1q-3w9o-ubhp94kjd}.
ResolutionThe following steps are the steps to upload a custom certificate.
1. Choose a certificate entry in the user interface and mark it as "Use as Server Certificate"
2. Internally, SA Server will update the "common.yaml" file and update the selected entry in that file 
3. Do "puppet agent -t"  on the SA Server, puppet will update "jetty-ssl.xml" with the selected entry to double check that verify in the file jetty-ssl.xml
4. Notice that if the selected alias in step 1 contains a curly brace, the alias name in "jetty-ssl.xml" doesn't have them because puppet strips those curly braces .
5. Due to behavior in step 4 on start up Jetty doesn't start because the Keystore has an alias with curly braces while "jetty-ssl.xml is updated wrongly with the alias (stripped of the braces)
To get around the issue of not having the correct certificate alias we need to have a certificate that doesn't have special characters since the puppet agent strips them. Users should only use alias names that contain characters,digits,underscores and hyphens.
NotesThis issue was fixed in 10.6.4  update.