000036443 - How to migrate an existing core appliance to a new nw-node-zero in RSA NetWitness Platform 11.x

Document created by RSA Customer Support Employee on Jul 7, 2018Last modified by RSA Customer Support Employee on Oct 15, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000036443
Applies ToRSA Product Set: NetWitness Platform
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.x
Platform: CentOS 7
 
IssuePlease note that this KB is only meant for completely core based appliances. This is defined to be Packet Decoders, Log Decoders, Concentrators, Archivers and Brokers. Devices such as Endpoint Hybrids and ESA Primary and Secondary Servers require a different set of steps. Packet Hybrids and Log Hybrids can still follow this KB.

Moving a core appliance to new nw-node-zero results in certificates being stale and services will not come back online on the new nw-node-zero when installed.  Errors similar to the examples below will be seen in the /var/log/messages file on the component host being migrated.

Jun 12 14:53:52 rdc-sec-phybrid1 NwDecoder[1238]: [Login] [audit] Failed login attempt for nonexistent user 'escalateduser' from 192.168.2.102:36800

Jun 12 22:36:58 rdc-sec-phybrid1 NwConcentrator[1218]: {"deviceVendor":"RSA","deviceProduct":"NetWitness","deviceService":"CONCENTRATOR","deviceVersion"...ailure"}
Jun 12 22:36:58 rdc-sec-phybrid1 NwConcentrator[1218]: [Login] [audit] Failed login attempt for nonexistent user 'escalateduser' from 192.168.2.102:39178

The errors above are due to stale certificates, truststores and/or trustpeers from the old nw-node-zero.

 
ResolutionFollow the steps below to move the component host from the OLD nw-node-zero to the NEW nw-node-zero.

From the component host to be migrated:



  1. Get the UUID of the host by running the command below.

    cat /etc/salt/minion


 
From the OLD or existing nw-node-zero:



  1. Remove the component host from the Hosts view in the RSA NetWitness UI.
  2. Remove the UUID of the component host by running the command below.

    orchestration-cli-client --remove-key <UUID>

 
From the NEW nw-node-zero:

  1. Issue the command below to show all keys on the RSA NetWitness Admin Server and note any denied, rejected or unaccepted keys.

    salt-key

  2. If necessary, issue the command below to remove and re-add any UUID identified in the previous step.

    orchestration-cli-client --remove-key <UUID>

 
From the component host:

  1. Verify that the /etc/netwitness/security-client/security-client-amqp.yml file contains the correct password (deploy_admin) and then either correct this or remove the file before running nwsetup-tui.

    This file exists if nwsetup-tui was run multiple times on the host and it can be safely deleted after a successful re-provisioning of the host.


  2. Move the /etc/salt/pki/minion/minion_master.pub file to the /tmp directory.

    mv /etc/salt/pki/minion/minion_master.pub /tmp

  3. Restart salt-minion with the command below.

    systemctl restart salt-minion

  4. Move /etc/netwitness/platform to the /tmp directory.

    mv /etc/netwitness/platform /tmp

  5. Move /etc/netwitness/security-cli to the /tmp directory.

    mv /etc/netwitness/security-cli /tmp

  6. Move /etc/netwitness/ng/appliance to the /tmp directory.

    mv /etc/netwitness/ng/appliance /tmp

  7. Move /etc/netwitness/ng/<service> to the /tmp directory.  (e.g. /etc/netwitness/ng/decoder, /etc/netwitness/ng/concentrator, etc.)

    mv /etc/netwitness/ng/<service> /tmp

  8. Move /etc/pki/nw to the /tmp directory.

    mv /etc/pki/nw /tmp

  9. Run the nwsetup-tui command on the component host.

From the NEW nw-node-zero:

  1. Discover the migrated component host in the RSA NetWitness UI.
  2. Select Install Correct Service for the component host.

After following the instructions above, watch or tail the chef-solo.log file on the component host while orchestrating/installing to confirm that the chef run completed successfully.


tailf /var/log/netwitness/config-management/chef-solo.log


Confirm that the new component host has been added to the RSA NetWitness UI and that its services are online.

You may need to wait a while for the services to show as online.


Finally, configure the component host as necessary on the new nw-node-zero environment.
NotesRelated knowledge articles:

Attachments

    Outcomes