Archer Integ: Troubleshoot RSA Archer Integration

Document created by RSA Information Design and Development on Oct 18, 2017Last modified by Deepak Morey on Apr 17, 2019
Version 4Show Document
  • View in full screen mode
  

This section provides resolutions to common problems that you may encounter while configuring Archer SecOps 1.2 or Archer SecOps 1.3 with Security Analytics Incident Management. 

Setting the CA Truststore

Problem: After adding the endpoint for Security Analytics Incident Management, the CA truststore fails to set.

Resolution: 

  1. Ensure that the SSH credentials for the Security Analytics host are valid.
  2. If the credentials are correct, but the error still occurs, Manually Copy Certificates.

Manually Copy Enterprise Management Certificates

If certificates were not automatically copied, you can manually copy the certificates.

  1. Copy the certificate keystore-em.crt from the UCF machine at the following location:
    <install_dir>\SA IM integration service\cert-tool\certs to the Security Analytics server at /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.31-1.b13.el6_6.x86_64/jre/lib/security.
  2. Log on to the machine that has RSA Security Analytics installed.
  3. Go to the location where the SA truststore certificate is copied:
    cd /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.31-1.b13.el6_6.x86_64/jre/lib/security
  4. Run the following command:
    keytool -import -alias ucfcert -keystore cacerts -filekeystore-em.crt.der

Note:  If you copied the certificates because adding the Enterprise Management endpoint failed, you must add the endpoint again without automatically copying the certificates. See Configure Endpoints in RSA Unified Collector Framework in Configure Security Analytics to Work With Archer.

Security Analytics Incident Management Certificates

If certificates are not automatically copied, you can manually copy the certificates.

  1. Copy the certificate keystore.crt.pem from the UCF machine at <install_dir>\SA IM integration service\cert-tool\certs to the Security Analytics server at a path /tmp.
  2. Make sure the format of the copied file is a windows text file. The following example
    displays the file with carriage return and line feed (CRLF) characters.
    # file rootcastore.crt.pem
    rootcastore.crt.pem: ASCII text, with CRLF line terminators
  3. If you find CRLF line terminators in the output, run the following command to remove the
    CRLF line terminators.
    # vi rootcastore.crt.pem
  4. You must run the following command to convert text file from windows text format to unix
    format
    :%s/\r//g
    set ff=unix
  5. Using :wq command save the file.
  6. Run the following command to create a backup of ca.pem file.
    cp /var/lib/puppet/ssl/certs/ca.pem/var/lib/puppet/ssl/certs/ca.pem.$(date +"%Y%m%d_%H%M")
  7. Append the certificate to ca.pem using the following command:
    cat /tmp/rootcastore.crt.pem >>/var/lib/puppet/ssl/certs/ca.pem
  8. Using sed -ri '/^\s*$/d' /var/lib/puppet/ssl/certs/ca.pem you can remove the blank lines from the file.
  9. Run puppet agent -t to populate the certificates to truststore.pem.
  10. You can check the truststore.pem using cat /etc/rabbitmq/ssl/truststore.pem command.
  11. Once the agent completes, exit the connection manager.
  12. Restart RSA Unified Collector Framework service from services.msc.
  13. Run Connection Manager again to continue with the SA endpoints configuration.

Incidents in RSA Archer Security Operations Management Solution

Problem: Findings and Security Incidents do not appear in RSA Archer Security Operations Management solution.

Resolution: 

    1. Confirm that the time on your middleware system and the RSA Archer Platform are synchronized or with a difference of no more than one second.
    2. Verify that the endpoint is configured correctly.
    3. Confirm that the UCF is set to the appropriate mode.
      • For Findings, you should select to manage the incident workflow in RSA Security Analytics.
      • For Security Incidents, you should select to manage the incident workflow in RSA Archer Security Operations Management.
    4. SSH to the SA web server host and enter the following command to verify that the RSA Archer incident queue (im.archer_incident_queue) is created:

      curl -k -u guest:guest

      https://127.0.0.1:15671/api/queues/%2Frsa%2Fi

      m%2Fintegration/im.archer_incident_queue --

      silent --stderr - | grep -o '"name"\:.*

      Note: If the queue is created, the output reads as follows:

      "name":"im.archer_incident_

      queue","vhost":"/rsa/im/integration","durable

      ":true,"auto_delete":false,"arguments":

      {},"node":"sa@localhost"}

    5. SSH to the SA web server host and enter the following command to verify that the RSA Archer tickets queue (im.archer_tickets_queue) is created:

      curl -k -u guest:guest

      https://127.0.0.1:15671/api/queues/%2Frsa%2Fi

      m%2Fintegration/im.archer_tickets_queue --

      silent --stderr - | grep -o '"name"\:.*'

      Note: If the queue is created, the output reads as follows:

      "name":"im.archer_tickets_

      queue","vhost":"/rsa/im/integration","durable

      ":true,"auto_delete":false,"arguments":

      {},"node":"sa@localhost"}

    6. SSH to the SA web server host and enter the following command to check the number of messages in the incident queue:

      curl -k -u guest:guest

      https://127.0.0.1:15671/api/queues/%2Frsa%2Fi

      m%2Fintegration/im.archer_incident_queue -- silent --stderr - | grep -o '"messages"\:[0-

      9]*'

Note: If the queue is created, the output reads as follows: "messages" : 5

  1. Confirm the above queues are populated with messages from the UCF.

Remediation Tasks in RSA Archer Security Operations Management

Problem: Remediation Tasks being pushed to the Operations queue through the UCF are not appearing in RSA Archer Security Operations Management as Findings. 

Resolution:

  1. Open the Connection Manager:
    • Open a command prompt
    • Change directories to <install_dir>\SA IM integration service\data-collector.
    • Type: runConnectionManager.bat
  2. Enter 2 for Edit Endpoint.
  3. Enter 3 for Security Analytics Incident Management.
  4. Ensure the Target Queue is set to All or Operations.

Errors between RSA Security Analytics and RSA Unified Collector Framework

Problem: In the <install_dir>\SA IM integration service\logs\collector.log, there are SSL errors between RSA Security Analytics and RSA Unified Collector Framework.

Resolution:

    1. Verify that the SSL certificates are valid.

Note: Security Analytics Incident Management certificates are valid for two years. 

  1. If your certificates are expired, regenerate and copy the expired certificates.

To regenerate and copy the certificates, do the following:

  1. In Command Prompt, go to <install_dir>\SA IM integration service\data-collector.
  2. Type: runConnectionManager.bat
  3. Enter the number for Regenerate Security Analytics Incident Management Integration Service Certificate.

  4. In the Security Analytics Incident Management endpoint in Connection Manager, enter the number for Edit Endpoint.

  5. Enter Yes to copy the certificates automatically to the Security Analytics trust store.

Note: If certificates fail to copy, manually copy the certificates.

 

You are here

Table of Contents > Troubleshoot RSA Archer Integration

Attachments

    Outcomes