Troubleshooting

This topic provides information about possible issues that NetWitness users may encounter when configuring the System Security and User Management settings in NetWitness. You can look up explanations of issues and their solutions.

Users are able to create a password of 8-chracters or less despite the configured minimum password length of 9 characters in Version 11.3

Problem Solutions

When NetWitness was upgraded from 11.2 and previous versions to Version 11.3, the administrator did not set the minimum password length to 9 characters.

    In 11.2 and earlier versions, the minimum password length is 8. The minimum password length changed to 9, in Versions 11.3. If you upgrade or update from earlier versions to 11.3, users can still create a password of 8 characters until you explicitly set the minimum password length to 9 characters as described in Configure Password Complexity.

Unable to log in to NetWitness Platform using SSO

Problem Solutions

When the Administrator configures the SSO incorrectly and is unable to log in to NetWitness.

Manual Steps to Disable SSO

To resolve this issue you must disable SSO manually, using the following commands:

  1. SSH to admin server node.
  2. Connect to nw-shell.
  3. Connect to admin server service using the connect --service admin-server command.
  4. Log in to admin server using the login command.
  5. Enter the admin username and password.
  6. Execute the following commands:
  • cd /rsa/security/authentication/web/saml/sso-enabled
  • set false
  • logout
  • exit
  • systemctl restart rsa-nw-admin-server

netwitness_disablesso_1016x900.png

Unable to connect to IDP and request session has timed out
  • Check if the admin server is able to reach the specific IDP metadata URL.
  • Check if the IDP can be to accessed over the internet, if not configure the proxy and try again.

SSL handshake failed as the certificate is not verified

  • Enable the trust-all-certs-for-idp-metadata flag in the explorer view of admin-server by navigating to RSA>Security>Authentication>Web>SAML.
  • Import the SSL certificate of the IDP metadata server to the JVM trust store, run the command keytool -import -trustcacerts -file /root/selfsignedadfs.cer -alias selfsignedcert -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.222.b10-0.el7_6.x86_64/jre/lib/security/cacerts on the Admin node.
SSL handshake failed as the hostname is not verified
  • Check the IDP metadata server's SSL certificate has a valid DN and matches the server hostname.
  • Enable the trust-all-certs-for-idp-metadata flag in the explorer view of admin-server by navigating to RSA>Security>Authentication>Web>SAML.

Fail over IP address changed

Perform the following manual steps to configure the new IP address.

1. Disable SSO using nw-shell after failover from new IP. For more information, see Manual Steps to Disable SSO

2. Generate the new metadata and reupload it in ADFS. For more information, see see the Configure SAML 2.0 provider settings for portals topic in Microsoft documentation.