ScoutProxy no longer is started automatically in RSA Web Threat Detection
2 years ago
Originally Published: 2018-03-07
Article Number
000054958
Applies To
RSA Product Set: Web Threat Detection
RSA Product/Service Type: Forensics
RSA Version/Condition: 6.0
 
Issue
Since we've installed new server certificates, when ScoutProxy needs to be restarted, we're being asked for a PEM Pass Phrase which required manual intervention from an SA. When generating these certificates, we're required to provide a pass phrase as per our Corporate Security guidelines. We need to know how to provide this pass phrase during the ScoutProxy startup process without manual intervention.
Tasks
Look for similar errors -- 
  
Feb 26 14:38:55 ulph376 scout.py[25426]:MainThread:WARNING:Run: nginx: [emerg] SSL_CTX_use_PrivateKey_file("/var/opt/silvertail/certs/ulph376.key") failed (SSL: error:0906406D:PEM routines:PEM_def_callback:problems getting password error:0906A068:PEM routines:PEM_do_header:bad password read error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib)
Resolution
Because you generate the .crt file with a passphrase, you need to specify the same passphrase for your .key and .crt file in Nginx conf like thisserver {    ssl_password_file /path-to-your-passphrase/ssl.pass;}

There is a way to add a passphrase here is a reference --  http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate_key

We need to address this with both services.

There are quite a few conf. files
  
nginx-mime.types
-rw-rw-r--.  1 rsawtd rsawtd  6025 Jan  8  2016 nginx-scoutproxy.conf
-rw-r--r--.  1 rsawtd rsawtd  7682 Jan  8  2016 nginx-scoutproxy-srv-hosts.conf
-rw-rw-r--.  1 rsawtd rsawtd  1117 Jan  8  2016 nginx.sh.conf
-rw-rw-r--.  1 rsawtd rsawtd 13875 Jan  8  2016 nginx-siteproxy.conf
-rw-r--r--.  1 rsawtd rsawtd    86 Jan  8  2016 nginx-siteproxy-silversurfer-host.conf
-rw-r--r--.  1 rsawtd rsawtd    86 Jan  8  2016 nginx-siteproxy-varzgrapher-host.conf



This needs to be edited and add a passphrase to an existing or created Server section following the instructions in the reference.  
  
[root@wtd etc]# cat nginx-scoutproxy.conf
# Nginx config for ScoutProxy, a reverse proxy server for SilverCat and Scout services.
# Worker processes will run with degraded permissions with the following identity.
user nginx;
# Location of the logs, either absolute path or path relative to the "-p" directory given when
# nginx is launched.
error_log /var/log/silvertail/ScoutProxy-error.log crit;
# Name of the file that contains the master process ID.
pid /var/run/silvertail/scoutproxy.pid;
worker_processes 1;
# Default value for worker_connections is 512.
events {
    worker_connections 512;  # per process
}
http {
    # Supported MIME types
    types {
        include nginx-mime.types;
    }
    keepalive_timeout 65;
    keepalive_requests 10000;
    access_log off;
    # Hide nginx version
    server_tokens off;
    # Debug via access log.
    #rewrite_log on;
    #log_subrequest on;
    #access_log /var/log/silvertail/ScoutProxy-access.log;
    # Proxy configuration.
    proxy_redirect          off;
    proxy_set_header        Host            $host;
    proxy_set_header        X-Real-IP       $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    # Disable buffering to pass-thru data.
    proxy_buffering off;
    # Some operations take a while.
    # TODO: Reduce this when we have async ops.
    proxy_read_timeout 30m;
    ssl_protocols TLSv1.2;
    # SSL certificates (generated with make_ssl_certs).
    ssl_certificate /var/opt/silvertail/certs/wtd.crt;           # wtd.crt;
    ssl_certificate_key /var/opt/silvertail/certs/wtd.key;       # wtd.key;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    server {
        # We proxy everything via SSL, even if we don't use SSL between this proxy and the
        # component.
        listen 4448 default ssl;
        listen 80 default ssl;
        # This should be the full public DNS name of the web server serving the Silver Tail UI.
        server_name wtd;
        # Prevent UI framing
        add_header X-Frame-Options SAMEORIGIN;
        # Only allow GET/PUT/POST/HEAD/DELETE methods at port 4448
        # Returning 444 per best security practices
        # http://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html
        if ( $request_method !~ ^(GET|PUT|POST|HEAD|DELETE)$ ) {
            return 444;
        }
        # Allow HEAD only to Scout
        if ( $request_method = HEAD ) {
            set $method_n_url HEAD;
        }
        if ( $request_uri ~ ^(\/scout\/?) ) {
            set $method_n_url "{method_n_url}_scout";
        }
        if ( $request_uri ~ ^(\/srv\/?) ) {
            set $method_n_url "{method_n_url}_srv";
        }
        if ( $request_uri ~ ^(\/services\/?) ) {
            set $method_n_url "{method_n_url}_services";
        }
        if ( $method_n_url = HEAD ) {
            return 444;
        }
        # Allow DELETE to srv blocks
        # NB-- Scout and ScoutProxy are already protected by python code
        if ( $request_method = DELETE ) {
            set $delete_n_url DELETE;
        }
        if ( $request_uri ~ ^(\/srv\/) ) {
            set $delete_n_url "{delete_n_url}_srv";
        }
        if ( $delete_n_url = DELETE ) {
            return 444;
        }
        # Redirects for varz and other HTTP services
        include nginx-scoutproxy-srv-hosts.conf;
        # ALlow loading of new collaterals when serving Silvercat over 4448
        # # New frontend UI uses the .png file for Silvercat
        location ~ /(rsa-wtd-identity-configurator.png)$ {
            root /var/opt/silvertail/srv/nginx/html;
        }
        location ~ /(jquery.js)$ {
            root /var/opt/silvertail/srv/nginx/html;
        }
        location ~ /(require.js)$ {
            root /var/opt/silvertail/srv/nginx/html;
        }
        location ~ /(pushconfig.js)$ {
            root /var/opt/silvertail/srv/nginx/html;
        }
        # if a /srv/ request was not handled by one of the location blocks
        # in nginx-scoutproxy-srv-hosts.conf, then return a 404 (not found)
        location ^~ /srv/ {
            return 404;
        }
        # Scout and some miscellaneous CUI links are the only ones that do
        # basic auth now. Everything else is authentication through UIServer
        # So just call auth realm Scout
        auth_basic "Scout";
        auth_basic_user_file /var/opt/silvertail/etc/admin_and_uiserver.htpasswd;
        # Prevent Silvercat (configuration manager) access via port 4448
        # eg. /silvercat  --> 404
        #     /silvercat/  --> 404
        #     /silvercat/toy  --> 404
        #     /no/silvercat  --> basic auth
        #     /silvercatmint  --> basic auth
        # NB-- The failure cases go to basic auth because we send all unmatched
        #      url(s) to Scout (see below)
        # NB--Example from stackoverflow (below) does NOT work at all :(
        #     location ^~ /silvercat/?(.*)$
        location ~ "^/silvercat$|^/silvercat/" {
            return 404;
        }
        location /scout {
            rewrite /scout /scout/ redirect;
        }
        location ^~ /scout/ {
            rewrite /scout/(.*) /$1 break;
            proxy_set_header X-Rewrite-URL $request_uri;
            proxy_pass http://127.0.0.1:4447;
        }
        # Assume all other URL's are for Scout.
        location / {
            rewrite /(.*) /$1 break;
            proxy_set_header X-Rewrite-URL $request_uri;
            proxy_pass http://127.0.0.1:4447;
        }
    }
Don't see what you're looking for?