NetWitness Community

Dear Anurag, 

Thank you so much for your response.  

I am following the same guide which you have suggested and first copied the certificates manually at that time also i was getting same error "Failed to connect to endpoint" when i select no for certificate:

Automatically add certs to SA Trust Store? (Yes/No) [Yes]: No

then i tried to select the option yes and error got changed, as belowed:

Failed to publish/consume message to SAIM Queue
Unsuccessful connection attempt.
Removing properties for the endpoint.
Failed to connect to endpoint

Can you please share the steps or command so i can check if QUEUE has been created in Netwitness respond server or not?

Also, if not then what troubleshooting steps i can follow to check configuration and all so queue can be created and issue can be fixed. 

Thanks in advance for the help.

Best Regards, 

Rajbir

Hi Rajbir,

After copying certs in Netwitness, did you run "orchestration-cli-client --update-admin-node" in Netwitness?

In new process, you don't need to exchange certificates from UCF at any stage.

Regards,

Anurag

Dear Anurag, 

Yes i have run "orchestration-cli-client --update-admin-node"  it got synchronize successfully  without any error. 

I am afraid that SA server has not created SA IM queue for archer and further incident forwarding. 

Can you please help me to check SA IM queue or also please let me know how we configre RSA SA server to create SA IM queue. 

I have already configured on respond service as below steps:

Configure Respond for Integration with RSA Archer® Cyber Incident & Breach Response
Step 1: Select the Mode for NetWitness Respond
1.
Go to ADMIN > Services, select the Respond Server service, and then select > View > Explore.
2.
Navigate to respond/integration/export.
3.
Set the archer-sec-ops-integration-enabled field to true. 4.
Restart the Respond service by running the following command:systemctl restart rsa-nw-respond-server
Step 2: Configure NetWitness Respond to Forward Alerts to UCF
1.
Navigate to C:\Program Files\RSA\SA IM integration service\cert-tool\certs in the SecOps Middleware box.
2.
Copy both keystore.crt.pem and rootcastore.crt.pem from the certs folder (to the import folder of NetWitess server):cp rootcastore.crt.pem /etc/pki/nw/trust/import
cp keystore.crt.pem /etc/pki/nw/trust/import
Note:
Before you copy the files from UCF to NetWitness Admin server, examine the files to remove any blank lines and save them.
3.
SSH to NW-server box
a.
Run the update-admin-node command:orchestration-cli-client --update-admin-node
b.
Restart the RabbitMQ service:
systemctl restart rabbitmq-server
c.
Restart the SMS service:
systemctl restart rsa-sms.service

Note:This step is mandatory to avoid receiving the "message bus down" error message which indicates that the EventSourceMessagePublisher has failed to reconnect to RabbitMQ on restart. This can cause some features such as deleting event sources to function improperly.

d.
Create user archer and set permissions for the virtual host ‘/rsa/system’rabbitmqctl add_user archer archer
rabbitmqctl clear_password archer
rabbitmqctl set_permissions -p /rsa/system archer ".*" ".*" ".*"

We are already configured ESA to forward alert on respond server and also incidents are being triggered on SA server. 

Thanks and Regards, 

Rajbir

Dear Anurag, 

Thanks for the help, i found queue is there and when i configured context-hub ans used archer as data source then i am able to receive incidents at archer but without any summary and field. However we ave to configure it using UCF. 

And i re-run the run connection manager after importing the certificates manually in Netwitness server (as per the steps mentioned in archer integration guide)

below is the output:

Add Endpoint
----------------------------------------------

1. Security Analytics IM
2. Archer
3. Enterprise Management Endpoint
4. Exit

Enter your choice:1
Please enter a user defined endpoint name [default]: netwitness
SA Host (ex: 10.6.66.96): xx.xx.16.140
SA Messaging Port (ex: 5671) [5671]: 5671
Target Queues (GRC, Operations or All) [All]: All
Automatically add certs to SA Trust Store? (Yes/No) [Yes]: No

2 certificate(s) are set to be installed in the trust store:

1 Subject CN=19dde670-f9f5-46f5-a869-72e1944032aa, OU=NetWitness Platform, O=RSA, L=Reston, ST=VA, C=US
Issuer CN=Puppet CA: 19dde670-f9f5-46f5-a869-72e1944032aa
sha1 ef 47 f6 bf 2a 38 13 3c 65 0d 21 20 5a b4 b7 f7 d7 aa 00 b2
md5 91 4c 45 09 07 06 f0 71 1b c5 aa 98 41 23 e6 b3

2 Subject CN=Puppet CA: 19dde670-f9f5-46f5-a869-72e1944032aa
Issuer CN=Puppet CA: 19dde670-f9f5-46f5-a869-72e1944032aa
sha1 24 cc 15 02 5b 74 2a c5 8e a7 dc cd 92 3b 50 ab f1 80 e9 ca
md5 92 52 22 ee 8c f1 e6 d2 38 6d 34 da f9 30 52 7e

Only certificates you trust should be added to the trust store.
Existing certificates for host xx.xx.16.140 will be removed first.
Proceed? [y/n]:n

No certificates were added to trust store.

Data extraction may from xx.xx.xx.140 may fail if these certificates are not already present in the trust store. 

To ensure successful connection, SA server must trust the UCF CA certificates.

See the installation guide for instruction to complete this action. 

When steps are completed, press Enter.

[When i press enter got below message]

..........
Failed to publish/consume message to SAIM Queue
Unsuccessful connection attempt.
Removing properties for the endpoint.
Failed to connect to endpoint

Welcome to the SA IM Integration Service Manager Wizard
----------------------------------------------

1. Add Endpoint
2. Edit Endpoint
3. Delete Endpoint
4. Mode Selection
5. Test Endpoint
6. Install Certificates From Directory
7. Regenerate Certificates
8. SAIM Migration
9. RCF Migration
10. Test Syslog Client
11. Exit

Enter your choice:

Also, i noticed below error message in respond server logs when i tried to add SA IM using both way (auto add certificate =no and auto add certificate= yes)

Please refer attached screenshots:

auto add certificate =no | it shows below error

clientinboundchannel-107 warn dataAccess| failed to retrieve data

auto add certificate =yes | it shows below error

However, now when i tried to update admin node using "orchestration-cli-client --update-admin-node" its showing error in the end. 

Can you please suggest something, I have tried both ways to add certificates. And followed the exact steps from archer integration guide.