000036443 - How to migrate an existing core appliance to a new nw-node-zero in RSA NetWitness Logs & Network 11.x

Document created by RSA Customer Support Employee on Jul 7, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036443
Applies ToRSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.x
Platform: CentOS 7
 
IssueMoving a core appliance to a new nw-node-zero results in certificates being stale and services will not come back online on the new nw-node-zero when installed.  Errors similar to the examples below will be seen in the /var/log/messages file on the component host being migrated.


Jun 12 14:53:52 rdc-sec-phybrid1 NwDecoder[1238]: [Login] [audit] Failed login attempt for nonexistent user 'escalateduser' from 192.168.2.102:36800

Jun 12 22:36:58 rdc-sec-phybrid1 NwConcentrator[1218]: {"deviceVendor":"RSA","deviceProduct":"NetWitness","deviceService":"CONCENTRATOR","deviceVersion"...ailure"}
Jun 12 22:36:58 rdc-sec-phybrid1 NwConcentrator[1218]: [Login] [audit] Failed login attempt for nonexistent user 'escalateduser' from 192.168.2.102:39178

The errors above are due to stale certificates, truststores and/or trustpeers from the old nw-node-zero.

 
ResolutionFollow the steps below to move the component host from the OLD nw-node-zero to the NEW nw-node-zero.

From the component host to be migrated:



  1. Get the UUID of the host by running the command below.

    cat /etc/salt/minion


 
From the OLD or existing nw-node-zero:



  1. Remove the component host from the Hosts view in the RSA NetWitness UI.
  2. Remove the UUID of the component host by running the command below.

    orchestration-cli-client --remove-key <UUID>

 
From the NEW nw-node-zero:

  1. Issue the command below to show all keys on the RSA NetWitness Admin Server and note any denied, rejected or unaccepted keys.

    salt-key

  2. If necessary, issue the command below to remove and re-add any UUID identified in the previous step.

    orchestration-cli-client --remove-key <UUID>

 
From the component host:

  1. Verify that the /etc/netwitness/security-client/security-client-amqp.yml file contains the correct password (deploy_admin) and then either correct this or remove the file before running nwsetup-tui.

    This file exists if nwsetup-tui was run multiple times on the host and it can be safely deleted after a successful re-provisioning of the host.


  2. Move the /etc/salt/pki/minion/minion_master.pub file to the /tmp directory.

    mv /etc/salt/pki/minion/minion_master.pub /tmp

  3. Restart salt-minion with the command below.

    systemctl restart salt-minion

  4. Move /etc/netwitness/platform to the /tmp directory.

    mv /etc/netwitness/platform /tmp

  5. Move /etc/netwitness/security-cli to the /tmp directory.

    mv /etc/netwitness/security-cli /tmp

  6. Move /etc/netwitness/ng/appliance to the /tmp directory.

    /etc/netwitness/ng/appliance

  7. Move /etc/netwitness/ng/<service> to the /tmp directory.  (e.g. /etc/netwitness/ng/decoder, /etc/netwitness/ng/concentrator, etc.)

    mv /etc/netwitness/ng/<service> /tmp

  8. Move /etc/pki/nw to the /tmp directory.

    mv /etc/pki/nw /tmp

  9. Run the nwsetup-tui command on the component host.

From the NEW nw-node-zero:

  1. Discover the migrated component host in the RSA NetWitness UI.
  2. Select Install Correct Service for the component host.

After following the instructions above, watch or tail the chef-solo.log file on the component host while orchestrating/installing to confirm that the chef run completed successfully.


tailf /var/log/netwitness/config-management/chef-solo.log


Confirm that the new component host has been added to the RSA NetWitness UI and that its services are online.

You may need to wait a while for the services to show as online.


Finally, configure the component host as necessary on the new nw-node-zero environment.
NotesRelated knowledge articles:

Attachments

    Outcomes