000035771 - Recurring Identity feed is not working when using the hostname or IP address of the Log Collector service in RSA Security Analytics

Document created by RSA Customer Support Employee on Dec 9, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035771
Applies ToRSA Product Set: NetWitness Logs & Packets, Security Analytics
RSA Product/Service Type: Log Collector, User Interface, Identity Feed
RSA Version/Condition: 10.6.x
Platform: CentOS
O/S Version: EL6
IssueWhen setting up identity feed with Log Collector using HTTPS and using the hostname or IP address of the Log Collector service, the identity feed is not working due to a certificate validation failure.
The error message below is found in the /var/lib/netwitness/uax/logs/sa.log file.

javax.net.ssl.SSLException: hostname in certificate didn't match: <hostname> != <puppet_node_id>
ResolutionThis issue is currently being investigated by the Engineering team in order to evaluate ways to make this easier in a future releases.
WorkaroundThere are currently two approaches to work around this:
  • Import log collector cert as documented in the Product Documentation
  • Change the URL of Log Collector to use the node_id and add static mapping of node_id to IP in /etc/hosts of SA server (as shown below)
Perform the following steps for the second approach above:
  1. Connect to the Security Analytics server appliance via SSH as the root user.
  2. Navigate to /etc/hosts/ and map the node_id of the host to the appliance IP address.
  3. In the RSA Security Analytics UI, select Live > Feeds.
  4. In the Feeds view, click Add.
  5. In the Setup Feed dialog, select Identity Feed and click Next.
  6. In the Define Feed tab, select Recurring.
  7. In the URL field, enter the node_id of the host as the hostname.

    For example, use <node_id> of 1n702df2-5891-4e9g-9323-4f492a8556fd instead of <ip_address> 10.11.12.13.


  8. In the Select Services form, select the Services on which feed is to be deployed and click Next.
  9. In the Review form, review feed information and if correct, click Finish.
NotesNormal instructions for setting up Identity Feed can be found in the product documentation.

Attachments

    Outcomes