Troubleshoot Archer Integration
This section provides resolutions to common problems that you may encounter while configuring Archer
Cyber Incident & Breach Response 1.3.1.2 with NetWitness Respond.
Problem |
After adding the endpoint for IM: NetWitness Respond the Certificate Authority truststore fails to set. |
Solution |
- Make sure that the SSH credentials for the host are valid.
- If the credentials are correct, but the error still occurs, manually copy certificates.
|
Problem
|
Remediation Tasks being pushed to the operations queue through the UCF are not appearing in Archer Cyber Incident & Breach Response as Findings. |
Solution |
- Open the Connection Manager using the command prompt:
- Change directories to <install_dir>\SA IM integration service\data-collector.
- Type: runConnectionManager.bat
- Enter 2 to edit endpoint.
- Enter 3 to Respond.
- Make sure the Target Queue is set to All or Operations.
|
Problem
|
In the <install_dir>\SA IM integration service\logs\collector.log, there are SSL errors between and RSA Unified Collector Framework. |
Solution |
- Verify that the SSL certificates are valid.
certificates are valid for two years.
- If your certificates are expired, regenerate and copy the expired certificates.
To regenerate and copy the certificates:
- In the Command Prompt, go to <install_dir>\SA IM integration service\data-collector.
- Enter
runConnectionManager.bat
-
Enter the number for Regenerate Integration Service Certificate.
- In the Respond endpoint, in Connection Manager, enter the number for Edit Endpoint.
- Enter Yes to copy the certificates automatically to the trust store.
If certificates fail to copy, manually copy the certificates.
|
Problem |
unable to forward incidents to UCF. |
Solution |
- In the collector config (
C:\PROGRAM FILES\RSA\SA IM INTEGRATION SERVICE\CONFIG\collector-config ), change the following: im.virtualhost=/rsa/im/integration to im.virtualhost=/rsa/system
- Restart UCF. For more information on restarting UCF, see Start the Unified Collector Framework.
- In the data collector (C:\PROGRAM FILES\RSA\SA IM INTEGRATION SERVICE\data-collector), double click on the following file to run it.
runConnectionmanager.bat
|