ScoutProxy no longer is started automatically in RSA Web Threat Detection
Originally Published: 2018-03-07
Article Number
Applies To
RSA Product/Service Type: Forensics
RSA Version/Condition: 6.0
Issue
Tasks
Feb 26 14:38:55 ulph376 scout.py[25426]:MainThread:WARNING:Run: nginx: [emerg] SSL_CTX_use_PrivateKey_file("/var/opt/silvertail/certs/ulph376.key") failed (SSL: error:0906406D:PEM routines:PEM_def_callback:problems getting password error:0906A068:PEM routines:PEM_do_header:bad password read error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib)Resolution
There is a way to add a passphrase here is a reference -- http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate_key
We need to address this with both services.
There are quite a few conf. files
nginx-mime.types -rw-rw-r--. 1 rsawtd rsawtd 6025 Jan 8 2016 nginx-scoutproxy.conf -rw-r--r--. 1 rsawtd rsawtd 7682 Jan 8 2016 nginx-scoutproxy-srv-hosts.conf -rw-rw-r--. 1 rsawtd rsawtd 1117 Jan 8 2016 nginx.sh.conf -rw-rw-r--. 1 rsawtd rsawtd 13875 Jan 8 2016 nginx-siteproxy.conf -rw-r--r--. 1 rsawtd rsawtd 86 Jan 8 2016 nginx-siteproxy-silversurfer-host.conf -rw-r--r--. 1 rsawtd rsawtd 86 Jan 8 2016 nginx-siteproxy-varzgrapher-host.conf
This needs to be edited and add a passphrase to an existing or created Server section following the instructions in the reference.
[root@wtd etc]# cat nginx-scoutproxy.conf
# Nginx config for ScoutProxy, a reverse proxy server for SilverCat and Scout services.
# Worker processes will run with degraded permissions with the following identity.
user nginx;
# Location of the logs, either absolute path or path relative to the "-p" directory given when
# nginx is launched.
error_log /var/log/silvertail/ScoutProxy-error.log crit;
# Name of the file that contains the master process ID.
pid /var/run/silvertail/scoutproxy.pid;
worker_processes 1;
# Default value for worker_connections is 512.
events {
worker_connections 512; # per process
}
http {
# Supported MIME types
types {
include nginx-mime.types;
}
keepalive_timeout 65;
keepalive_requests 10000;
access_log off;
# Hide nginx version
server_tokens off;
# Debug via access log.
#rewrite_log on;
#log_subrequest on;
#access_log /var/log/silvertail/ScoutProxy-access.log;
# Proxy configuration.
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Disable buffering to pass-thru data.
proxy_buffering off;
# Some operations take a while.
# TODO: Reduce this when we have async ops.
proxy_read_timeout 30m;
ssl_protocols TLSv1.2;
# SSL certificates (generated with make_ssl_certs).
ssl_certificate /var/opt/silvertail/certs/wtd.crt; # wtd.crt;
ssl_certificate_key /var/opt/silvertail/certs/wtd.key; # wtd.key;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
server {
# We proxy everything via SSL, even if we don't use SSL between this proxy and the
# component.
listen 4448 default ssl;
listen 80 default ssl;
# This should be the full public DNS name of the web server serving the Silver Tail UI.
server_name wtd;
# Prevent UI framing
add_header X-Frame-Options SAMEORIGIN;
# Only allow GET/PUT/POST/HEAD/DELETE methods at port 4448
# Returning 444 per best security practices
# http://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html
if ( $request_method !~ ^(GET|PUT|POST|HEAD|DELETE)$ ) {
return 444;
}
# Allow HEAD only to Scout
if ( $request_method = HEAD ) {
set $method_n_url HEAD;
}
if ( $request_uri ~ ^(\/scout\/?) ) {
set $method_n_url "{method_n_url}_scout";
}
if ( $request_uri ~ ^(\/srv\/?) ) {
set $method_n_url "{method_n_url}_srv";
}
if ( $request_uri ~ ^(\/services\/?) ) {
set $method_n_url "{method_n_url}_services";
}
if ( $method_n_url = HEAD ) {
return 444;
}
# Allow DELETE to srv blocks
# NB-- Scout and ScoutProxy are already protected by python code
if ( $request_method = DELETE ) {
set $delete_n_url DELETE;
}
if ( $request_uri ~ ^(\/srv\/) ) {
set $delete_n_url "{delete_n_url}_srv";
}
if ( $delete_n_url = DELETE ) {
return 444;
}
# Redirects for varz and other HTTP services
include nginx-scoutproxy-srv-hosts.conf;
# ALlow loading of new collaterals when serving Silvercat over 4448
# # New frontend UI uses the .png file for Silvercat
location ~ /(rsa-wtd-identity-configurator.png)$ {
root /var/opt/silvertail/srv/nginx/html;
}
location ~ /(jquery.js)$ {
root /var/opt/silvertail/srv/nginx/html;
}
location ~ /(require.js)$ {
root /var/opt/silvertail/srv/nginx/html;
}
location ~ /(pushconfig.js)$ {
root /var/opt/silvertail/srv/nginx/html;
}
# if a /srv/ request was not handled by one of the location blocks
# in nginx-scoutproxy-srv-hosts.conf, then return a 404 (not found)
location ^~ /srv/ {
return 404;
}
# Scout and some miscellaneous CUI links are the only ones that do
# basic auth now. Everything else is authentication through UIServer
# So just call auth realm Scout
auth_basic "Scout";
auth_basic_user_file /var/opt/silvertail/etc/admin_and_uiserver.htpasswd;
# Prevent Silvercat (configuration manager) access via port 4448
# eg. /silvercat --> 404
# /silvercat/ --> 404
# /silvercat/toy --> 404
# /no/silvercat --> basic auth
# /silvercatmint --> basic auth
# NB-- The failure cases go to basic auth because we send all unmatched
# url(s) to Scout (see below)
# NB--Example from stackoverflow (below) does NOT work at all :(
# location ^~ /silvercat/?(.*)$
location ~ "^/silvercat$|^/silvercat/" {
return 404;
}
location /scout {
rewrite /scout /scout/ redirect;
}
location ^~ /scout/ {
rewrite /scout/(.*) /$1 break;
proxy_set_header X-Rewrite-URL $request_uri;
proxy_pass http://127.0.0.1:4447;
}
# Assume all other URL's are for Scout.
location / {
rewrite /(.*) /$1 break;
proxy_set_header X-Rewrite-URL $request_uri;
proxy_pass http://127.0.0.1:4447;
}
}Related Articles
How to resolve an ORA-30036 UNDO Tablespace error in RSA Identity Governance & Lifecycle Number of Views Severe performance degradation when running RMAN in RSA Identity Governance & Lifecycle Number of Views How to configure AES ciphers for the RSA Authentication Manager 8.1 Security Console Number of Views ORA-01578 ORACLE data block corrupted reported in RSA Identity Governance & Lifecycle Number of Views RSA SecurID Hardware Token Technical Specifications Number of Views
Trending Articles
Downloading RSA Authentication Manager license files or RSA Software token seed records RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory Mandatory Certificate Upgrade Required by 6th October 2025 for RSA MFA Agent for PAM, RSA MFA Agent for Apache, and Third … RSA Authentication Manager 8.9 Release Notes (January 2026)
Don't see what you're looking for?
