This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Knowledge Base Archive
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Unable to Access the Admin Server UI due to missing CA Certificates in truststore.pem file on NetWitness Platform 11.6.0

Article Number

000039806

Applies To

RSA Product Set: NetWitness Platform
RSA Product/Service Type: Admin Server (UI)
RSA Version/Condition: 11.6.0.0
Platform: CentOS
O/S Version: 7

Issue

Unable to access the Admin Server UI. "Unknown ca" SSL HandshakeException appears in the sa.log due to missing CA certificates in the truststore.pem file.

Cause

Unable to access the Admin Server UI due to the following CA certificates missing, which are used by the truststore PEM file (/etc/pki/nw/trust/truststore.pem).
  • /etc/pki/nw/ca/nwca-cert.pem
  • /etc/pki/nw/ca/ssca-cert.pem
The following exceptions or errors are seen in the specified logs:

Error Message 1
javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca
Logs
/var/netwitness/uax/logs/sa.log
/opt/rsa/sms/logs/sms.log

Error Message 2
Federation exchange 'carlos.xx.xx.xx' in vhost '/rsa/system' did not connect to exchange 'carlos.xx.xx.xx' in vhost '/rsa/system' on amqps://<node-x-ip>:5671 {error,{tls_alert,"unknown ca"}}
Logs
/var/log/rabbitmq/rabbit@<uuid>.log

Error Message 3
[MessageListenerContainer-17593] ERROR c.r.a.l.e.t.LaunchMessageListenerContainer|Failed to check/redeclare auto-delete queue(s). org.springframwork.amqp.AmqpIOException: javax.net.ssl.SSLException: Fatal Alert received: {48}
Logs
/var/log/netwitness/admin-server/admin-server.log
/var/log/netwitness/config-server/config-server.log
/var/log/netwitness/orchestration-server/orchestration-server.log
/var/log/netwitness/security-server/security-server.log

 

Resolution

To regenerate the missing certificates and access the Admin Server UI, perform the following steps.

 
  1. Move the existing truststore PEM files at /etc/pki/nw/ to a different location.
mkdir -p /tmp/truststore.bkp
mv /etc/pki/truststore.pem /etc/pki/nw/truststore.pem.idx /tmp/truststore.bkp
 
  1. Run chef recipe: [nw-pki:truststores] to regenerate the truststore PEM files.
chef-client -z -c /var/netwitness/config-management/client.rb -r 'recipe[nw-pki:truststores]'
 
  1. Verify if the nwca-cert.pem and the ssca-cert.pem certificates are available in the newly generated truststore.pem.idx file
[root@adminserver]# cat /etc/pki/nw/trust/truststore.pem.idx
/etc/pki/nw/ca/nwca-cert.pem
/etc/pki/nw/ca/ssca-cert/pem
 
  1. Restart the RabbitMQ service.
systemctl restart rabbitmq-server
 
  1. Login to the Admin server's UI.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2021-07-29 06:20 AM
Updated by:
Administrator Administrator

Related Content

© 2022 RSA Security LLC or its affiliates. All rights reserved.