Article Number
000032272
Applies To
RSA Product Set: Security Analytics
RSA Product/Service Type: Event Stream Analysis (ESA)
RSA Version/Condition: 10.3.x
Platform: CentOS
O/S Version: EL6
Issue
The ESA service keeps crashing. To verify the cause, SSH to the ESA server first and verify by executing the following:
- From the command prompt verify the current state of the ESA service.
service rsa-esa status
- If the command shows the service is not running, start the service.
service rsa-esa start
- When rsa-esa has been started, it is observed that the service still fails to run, as shown below.
Image description - A visual check of the service restart attempt in /opt/rsa/esa/logs/esa.log reveals an error similar to the example below.
Caused by: com.rsa.netwitness.carlos.licensing.LicenseException: Error initializing the license manager: Failed file read.
at com.rsa.netwitness.carlos.licensing.fne.AbstractLicenseManager.initialize(AbstractLicenseManager.java:155)
at com.rsa.netwitness.carlos.licensing.FlxManager.<init>(FlxManager.java:45)
at com.rsa.netwitness.carlos.licensing.FlxManager.getInstance(FlxManager.java:33)
Cause
The ESA service will fail to start if the license trusted storage files become corrupt.
Resolution
This has been determined to be a stability issue by RSA engineering.
While it has only been observed on 10.3.x, this may occur on later releases up to version 10.5 where the licencing model has been reworked to prevent trust store issues from affecting service status.
Should this issue be seen, recreate the trusted storage on the ESA server as listed in the workaround section of this article.
Workaround
SSH to the ESA server, and run the commands below to recreate the trust storage.
- Navigate to the appropriate directory.
cd /opt/rsa/esa
- Rename the trustedStorage file.
mv trustedStorage /tmp/trustedStorage.old<todays_date>
- Start the rsa-esa service.
service rsa-esa start
- Confirm that the service has started.
service rsa-esa status
Upon a successful restart of the service, the trust storage files is recreated as /opt/rsa/esa/trustedStorage.
Note that since the trustedStorage file contains bits that include actual licensing information, the service will no longer be licensed in the Security Analytics UI.
Re-license the ESA server on the SA server by navigating in the Security Analytics UI to the
Administration ->
Devices page.