How to handle when a component is failing to authenticate(handshake failure) after install in RSA Web Threat Detection 6.0
3 years ago
Originally Published: 2016-11-15
Article Number
000065583
Applies To
RSA Product Set: Web Threat Detection
RSA Product/Service Type: Forensics
RSA Version/Condition: 6.0
Platform: Linux
 
Issue
TLS handshake failures are seen in Syslog and this affects the named component in the logs

Actual customer case -- After 6.0 installation, Silverplex is failing authentication.  Here is an example of a handshake error on the Silverplex component: 
Oct 27 15:59:23 slcst21a silverplex[81959]: [info] back [T11 st::tls::Server::MasterRunnable] [tls server 1] Accepted connection from 10.73.101.208:41799
Oct 27 15:59:23 slcst21a silverplex[81959]: [info] back [T6 st::task::QueueRunner] [st::tls::ServerHandshaker]
[handshaker 1.6] [session 29309] TLS handshake on 8
Oct 27 15:59:23 slcst21a silverplex[81959]: [error] back [T6 st::task::QueueRunner] [st::tls::ServerHandshaker] [handshaker 1.6] [session 29309] TLS handshake error: Decryption has failed.
Oct 27 15:59:23 slcst21a silverplex[81959]: [info] back [T6 st::task::QueueRunner] [st::tls::ServerHandshaker] [handshaker 1.6] [session 29309] Closing TLS session on 8 Oct 27 15:59:26 slcst21a rsyslogd-2177: imuxsock lost 143243 messages from pid 81641 due to rate-limiting

 
Tasks
The FRI CS Engineer should arrange a Webex session with the Customer to look at Varz (to see what components are showing failures) and Syslogs. 



 
Resolution
TLS handshake issues usually means an issue with the SSL Cert keys. There is an approach that may go in different directions, here are important points in your investigation. 
  • Most processes use the SilverTail cert and key for different things-- passwords, shard encryption, interprocess communication. It may be best to restart all the services. Note -- Scout is used for interbox processes, so make sure this component is restarted first.
  • Get an understanding of the Customer system architecture, which components are located on each server. 
  • Review /var/log/messages to check for TLS handshake errors and identify the components that are having these errors. 
  • Use md5sum command to make sure cert and key are the same on the servers that have failing components.
  • Use Varz to see which components are connecting and passing messages and which are not. 
Note -- With this type of issue, especially if this a new installation, there may be layers of issues. For example, when a Certificate is properly replaced, a permissions issue may be revealed. 

 
Notes
Note to communicate to Customers - "If this installation was performed by Professional Services and their engagement has not yet ended, please get in touch with the PS Engineer on the implementation project to resolve these issues." 

Related Articles

Trending Articles

Don't see what you're looking for?