|Applies To||RSA Product Set: NetWitness Logs & Packets, Security Analytics|
RSA Product/Service Type: Log Collector, User Interface, Identity Feed
RSA Version/Condition: 10.6.x
O/S Version: EL6
|Issue||When setting up identity feed with Log Collector using HTTPS and using the hostname or IP address of the Log Collector service, the identity feed is not working due to a certificate validation failure.|
The error message below is found in the /var/lib/netwitness/uax/logs/sa.log file.
javax.net.ssl.SSLException: hostname in certificate didn't match: <hostname> != <puppet_node_id>
|Resolution||This issue is currently being investigated by the Engineering team in order to evaluate ways to make this easier in a future releases.|
|Workaround||There are currently two approaches to work around this:|
Perform the following steps for the second approach above:
- Import log collector cert as documented in the Product Documentation
- Change the URL of Log Collector to use the node_id and add static mapping of node_id to IP in /etc/hosts of SA server (as shown below)
- Connect to the Security Analytics server appliance via SSH as the root user.
- Navigate to /etc/hosts/ and map the node_id of the host to the appliance IP address.
- In the RSA Security Analytics UI, select Live > Feeds.
- In the Feeds view, click Add.
- In the Setup Feed dialog, select Identity Feed and click Next.
- In the Define Feed tab, select Recurring.
- In the URL field, enter the node_id of the host as the hostname.
For example, use <node_id> of 1n702df2-5891-4e9g-9323-4f492a8556fd instead of <ip_address> 10.11.12.13.
- In the Select Services form, select the Services on which feed is to be deployed and click Next.
- In the Review form, review feed information and if correct, click Finish.
|Notes||Normal instructions for setting up Identity Feed can be found in the product documentation.|