Article Number
000039835
Applies To
RSA Product Set: RSA NetWitness Platform
RSA Product/Service Type: Security Analytics Server
RSA Version/Condition: 11.5, 11.6
Platform: CentOS
O/S Version: 7
Issue
- When an upgrade is attempted for a node-x or node-zero with custom certificates placed at the beginning of /etc/pki/nw/trust/truststore.pem, the chef run fails with the below error.
/var/netwitness/config-management/chef-solo.log:
[2021-07-04T09:05:17+00:00] FATAL: No valid NW hosts data was available, aborting
- Running orchestration-cli-client --list-hosts on the node failing the upgrade shows the following error.
2021-07-04 09:07:07.431 ERROR 31131 --- [ main] c.r.client.impl.SocketFrameHandler : TLS connection failed: Certificate signature validation failed
2021-07-04 09:07:07.461 ERROR 31131 --- [ main] c.r.n.i.o.c.OrchestrationApplication : Application startup failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'jobMessageListenerContainer' defined in class path resource [com/rsa/netwitness/infrastructure/orchestration/client/OrchestrationConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.amqp.rabbit.listener.SimpleMessageListenerContainer]: Factory method 'jobMessageListenerContainer' threw exception; nested exception is org.springframework.amqp.AmqpIOException: javax.net.ssl.SSLHandshakeException: Certificate signature validation failed
Cause
This issue is due to custom certificate details in /etc/pki/nw/trust/truststore.pem.
Resolution
Please apply the below steps on the Node where errors appearing.
- Login to Host putty.
- Stop rabbitmq-server service using systemctl stop rabbitmq-server command.
- Backup /etc/pki/nw/trust/truststore.pem using cp /etc/pki/nw/trust/truststore.pem /root/ command.
- Run the below comand to prepend the correct ca to the truststore:
cat /etc/pki/nw/ca/nwca-cert.pem | cat - /etc/pki/nw/trust/truststore.pem > /tmp/out && mv -f /tmp/out /etc/pki/nw/trust/truststore.pem
- Verify that orchestration-cli-client --list-hosts is now running successfully on the host