2020-08-04 08:24 AM
Hello Everyone,
I was trying to add Security Analytics IM as endpoint in my archer setup and facing some issue stating below:
can anyone had face the same or help me to fix this issue, Thanks in advance.
Please note i have installed UCF on my Archer server and it is part of domain, also i am using customCA certificate for their communication.
Add Endpoint
----------------------------------------------
1. Security Analytics IM
2. Archer
3. Enterprise Management Endpoint
4. Exit
Enter your choice:1
Please enter a user defined endpoint name [default]: SAIM
SA Host (ex: 10.6.66.96): xx.xx.16.140
SA Messaging Port (ex: 5671) [5671]: 5671
Target Queues (GRC, Operations or All) [All]: All
Automatically add certs to SA Trust Store? (Yes/No) [Yes]: Yes
Enter the account username to connect to SA Host [root]: root
Enter the account password to connect to SA Host:
Please Re-Enter value:
Testing Endpoint connection.
Installing certificates from Host:xx.xx.16.140 Port:5671
Opening connection to xx.xx.16.140:5671...
2 certificate(s) are set to be installed in the trust store:
1 Subject CN=19dde670-f9f5-46f5-a869-72e1944032aa, OU=NetWitness Platform, O=RSA, L=Reston, ST=VA, C=US
Issuer CN=Puppet CA: 19dde670-f9f5-46f5-a869-72e1944032aa
sha1 ef 47 f6 bf 2a 38 13 3c 65 0d 21 20 5a b4 b7 f7 d7 aa 00 b2
md5 91 4c 45 09 07 06 f0 71 1b c5 aa 98 41 23 e6 b3
2 Subject CN=Puppet CA: 19dde670-f9f5-46f5-a869-72e1944032aa
Issuer CN=Puppet CA: 19dde670-f9f5-46f5-a869-72e1944032aa
sha1 24 cc 15 02 5b 74 2a c5 8e a7 dc cd 92 3b 50 ab f1 80 e9 ca
md5 92 52 22 ee 8c f1 e6 d2 38 6d 34 da f9 30 52 7e
Only certificates you trust should be added to the trust store.
Existing certificates for host xx.xx.16.140 will be removed first.
Proceed? [y/n]:y
No existing certs for were found.
Stored certificate with Subject: CN=19dde670-f9f5-46f5-a869-72e1944032aa, OU=NetWitness Platform, O=RSA, L=Reston, ST=VA, C=US
Stored certificate with Subject: CN=Puppet CA: 19dde670-f9f5-46f5-a869-72e1944032aa
Auto configuring SA Cert Trust Store...
Cleared the ssh password
Copying CA trust store to SA.
Attempting to send command over SSH
Reloading SA Trust Store with Puppet agent. This could take up to 2 minutes...
Running check lock
Attempting to send command over SSH
Attempting to send command over SSH
Attempting to send command over SSH
Puppet agent is done on the SA box
Successfully set trust store.
..........
Failed to publish/consume message to SAIM Queue
Unsuccessful connection attempt.
Removing properties for the endpoint.
Failed to connect to endpoint
Welcome to the SA IM Integration Service Manager Wizard
----------------------------------------------
1. Add Endpoint
2. Edit Endpoint
3. Delete Endpoint
4. Mode Selection
5. Test Endpoint
6. Install Certificates From Directory
7. Regenerate Certificates
8. SAIM Migration
9. RCF Migration
10. Test Syslog Client
11. Exit
Enter your choice:
Also i have configured the respond service as per Archer integration guide.
Thanks in advance.
Regards,
Rajbir
2020-08-04 10:20 AM
Hi Rajbir,
The process of certificate exchange in NW version 11.X and above is changed. You cannot exchange certificates from UCF anymore, Its a manual process now and you have to manually copy the certificate from UCF to Netwitness and update the node.
Check this document "https://community.rsa.com/docs/DOC-101323 " check page 8.
Regards,
Anurag
2020-08-04 11:47 AM
Dear Anurag,
Thank you so much for your response.
I am following the same guide which you have suggested and first copied the certificates manually at that time also i was getting same error "Failed to connect to endpoint" when i select no for certificate:
Automatically add certs to SA Trust Store? (Yes/No) [Yes]: No
then i tried to select the option yes and error got changed, as belowed:
Failed to publish/consume message to SAIM Queue
Unsuccessful connection attempt.
Removing properties for the endpoint.
Failed to connect to endpoint
Can you please share the steps or command so i can check if QUEUE has been created in Netwitness respond server or not?
Also, if not then what troubleshooting steps i can follow to check configuration and all so queue can be created and issue can be fixed.
Thanks in advance for the help.
Best Regards,
Rajbir
2020-08-05 12:53 AM
Hi Rajbir,
After copying certs in Netwitness, did you run "orchestration-cli-client --update-admin-node" in Netwitness?
In new process, you don't need to exchange certificates from UCF at any stage.
Regards,
Anurag
2020-08-05 01:44 AM
Dear Anurag,
Yes i have run "orchestration-cli-client --update-admin-node" it got synchronize successfully without any error.
I am afraid that SA server has not created SA IM queue for archer and further incident forwarding.
Can you please help me to check SA IM queue or also please let me know how we configre RSA SA server to create SA IM queue.
I have already configured on respond service as below steps:
Configure Respond for Integration with RSA Archer® Cyber Incident & Breach Response
Step 1: Select the Mode for NetWitness Respond
1.
Go to ADMIN > Services, select the Respond Server service, and then select > View > Explore.
2.
Navigate to respond/integration/export.
3.
Set the archer-sec-ops-integration-enabled field to true. 4.
Restart the Respond service by running the following command:systemctl restart rsa-nw-respond-server
Step 2: Configure NetWitness Respond to Forward Alerts to UCF
1.
Navigate to C:\Program Files\RSA\SA IM integration service\cert-tool\certs in the SecOps Middleware box.
2.
Copy both keystore.crt.pem and rootcastore.crt.pem from the certs folder (to the import folder of NetWitess server):cp rootcastore.crt.pem /etc/pki/nw/trust/import
cp keystore.crt.pem /etc/pki/nw/trust/import
Note:
Before you copy the files from UCF to NetWitness Admin server, examine the files to remove any blank lines and save them.
3.
SSH to NW-server box
a.
Run the update-admin-node command:orchestration-cli-client --update-admin-node
b.
Restart the RabbitMQ service:
systemctl restart rabbitmq-server
c.
Restart the SMS service:
systemctl restart rsa-sms.service
Note:This step is mandatory to avoid receiving the "message bus down" error message which indicates that the EventSourceMessagePublisher has failed to reconnect to RabbitMQ on restart. This can cause some features such as deleting event sources to function improperly.
d.
Create user archer and set permissions for the virtual host ‘/rsa/system’rabbitmqctl add_user archer archer
rabbitmqctl clear_password archer
rabbitmqctl set_permissions -p /rsa/system archer ".*" ".*" ".*"
We are already configured ESA to forward alert on respond server and also incidents are being triggered on SA server.
Thanks and Regards,
Rajbir
2020-08-05 02:45 AM
The queues will be present. Check the queues using;
https://community.rsa.com/docs/DOC-45430
I believe you must have added the other required endpoints in the UCF and services are running. As you mentioned that Incidents are expected to flow, you can check for the collector.log n UCF for any errors.
Regards,
Anurag
2020-08-06 11:42 AM
Dear Anurag,
Thanks for the help, i found queue is there and when i configured context-hub ans used archer as data source then i am able to receive incidents at archer but without any summary and field. However we ave to configure it using UCF.
And i re-run the run connection manager after importing the certificates manually in Netwitness server (as per the steps mentioned in archer integration guide)
below is the output:
Add Endpoint
----------------------------------------------
1. Security Analytics IM
2. Archer
3. Enterprise Management Endpoint
4. Exit
Enter your choice:1
Please enter a user defined endpoint name [default]: netwitness
SA Host (ex: 10.6.66.96): xx.xx.16.140
SA Messaging Port (ex: 5671) [5671]: 5671
Target Queues (GRC, Operations or All) [All]: All
Automatically add certs to SA Trust Store? (Yes/No) [Yes]: No
2 certificate(s) are set to be installed in the trust store:
1 Subject CN=19dde670-f9f5-46f5-a869-72e1944032aa, OU=NetWitness Platform, O=RSA, L=Reston, ST=VA, C=US
Issuer CN=Puppet CA: 19dde670-f9f5-46f5-a869-72e1944032aa
sha1 ef 47 f6 bf 2a 38 13 3c 65 0d 21 20 5a b4 b7 f7 d7 aa 00 b2
md5 91 4c 45 09 07 06 f0 71 1b c5 aa 98 41 23 e6 b3
2 Subject CN=Puppet CA: 19dde670-f9f5-46f5-a869-72e1944032aa
Issuer CN=Puppet CA: 19dde670-f9f5-46f5-a869-72e1944032aa
sha1 24 cc 15 02 5b 74 2a c5 8e a7 dc cd 92 3b 50 ab f1 80 e9 ca
md5 92 52 22 ee 8c f1 e6 d2 38 6d 34 da f9 30 52 7e
Only certificates you trust should be added to the trust store.
Existing certificates for host xx.xx.16.140 will be removed first.
Proceed? [y/n]:n
No certificates were added to trust store.
Data extraction may from xx.xx.xx.140 may fail if these certificates are not already present in the trust store.
To ensure successful connection, SA server must trust the UCF CA certificates.
See the installation guide for instruction to complete this action.
When steps are completed, press Enter.
[When i press enter got below message]
..........
Failed to publish/consume message to SAIM Queue
Unsuccessful connection attempt.
Removing properties for the endpoint.
Failed to connect to endpoint
Welcome to the SA IM Integration Service Manager Wizard
----------------------------------------------
1. Add Endpoint
2. Edit Endpoint
3. Delete Endpoint
4. Mode Selection
5. Test Endpoint
6. Install Certificates From Directory
7. Regenerate Certificates
8. SAIM Migration
9. RCF Migration
10. Test Syslog Client
11. Exit
Enter your choice:
Also, i noticed below error message in respond server logs when i tried to add SA IM using both way (auto add certificate =no and auto add certificate= yes)
Please refer attached screenshots:
auto add certificate =no | it shows below error
clientinboundchannel-107 warn dataAccess| failed to retrieve data
auto add certificate =yes | it shows below error
However, now when i tried to update admin node using "orchestration-cli-client --update-admin-node" its showing error in the end.
Can you please suggest something, I have tried both ways to add certificates. And followed the exact steps from archer integration guide.