Article Number
000039728
Applies To
RSA Product Set: RSA NetWitness Platform
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.5.x
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.5.x
Issue
When you run "nw-manage --update-deploy-admin-pw" command, you may get "Failed" status as shown below.
Image description
Image descriptionCause
Generally, this issue happens when the certificate is missing from "/etc/pki/nw/peer/sa-server" or the certificate is broken.
You may see the following error in chef-solo.log of the admin server.
You may see the following error in chef-solo.log of the admin server.
"Mixlib::ShellOut::ShellCommandFailed: nw_pki_openssl_hashed_cert[nw-appliance /etc/netwitness/ng/appliance/trustpeers -> ["sa-server"]] (nw-appliance::trusts line 19) had an error: Mixlib::ShellOut::ShellCommandFailed: execute[launch-peer-cert:sa-server] (/var/lib/netwitness/config-management/cache/cookbooks/nw-pki/resources/openssl_hashed_cert.rb line 66) had an error: Mixlib::ShellOut::ShellCommandFailed: Command execution failed. STDOUT/STDERR suppressed for sensitive resource"
Resolution
Note) Before the steps below, make sure that your "deploy_admin" account is unlocked.
If your "deploy_admin" account is locked, unlock it first based on the article below.(Article 000039627)
https://community.rsa.com/t5/rsa-netwitness-platform/how-to-unlock-deploy-admin-password-in-netwitness-platform/ta-p/598092
If the certificate is missing from "/etc/pki/nw/peer/sa-server", then run the below commands to get the certificate and update the permissions:
Once all the above operations are performed, then try to run "nw-manage --update-deploy-admin-pw".
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.
If your "deploy_admin" account is locked, unlock it first based on the article below.(Article 000039627)
https://community.rsa.com/t5/rsa-netwitness-platform/how-to-unlock-deploy-admin-password-in-netwitness-platform/ta-p/598092
If the certificate is missing from "/etc/pki/nw/peer/sa-server", then run the below commands to get the certificate and update the permissions:
# security-cli-client --get-certificates-for-service --service sa-server --output-dir /etc/pki/nw/peer/sa-server -u deploy_admin -k <deploy_admin_password> -b <Admin server IP> # chown netwitness:nwpki /etc/pki/nw/peer/sa-server/*.pem
Once all the above operations are performed, then try to run "nw-manage --update-deploy-admin-pw".
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.
Workaround
If the steps in Resolution do not work, you can try the following steps as well.
- vi /etc/netwitness/security-client/security-client-amqp.yml (If the deploy_admin password is netwitness, then update "netwitness" as password in security-client-amqp.yml)
rsa: security: server: rabbit-admin: deploy_admin rabbit-pw: "netwitness" pki: verify-certificates: false
- service rsa-nw-config-server restart
- service rsa-nw-admin-server restart
- service rsa-nw-security-server restart
- service rsa-nw-orchestration-server restart
- Run "nw-manage --refresh-host --host-key <node-zero>"
In this article
