Configure NetWitness Endpoint Alerts to Respond

This procedure is required to integrate NetWitness Endpoint with NetWitness so that the NetWitness Endpoint alerts are picked up by the Respond component of NetWitness and displayed in the Respond > Alerts view.

Note: NetWitness supports NetWitness Endpoint versions 4.3.0.4, 4.3.0.5, 4.4, 4.4.0.2, or later for NetWitness Respond integration. For more information, see the "NetWitness Suite Integration" topic in the NetWitness Endpoint User Guide.

The diagram below represents the flow of NetWitness Endpoint alerts to the Respond Incident List view of NetWitness and its display in the Respond > Alerts view.

netwitness_endpoint_integration_966x611.png

Prerequisites

Ensure that you have the following:

  • The Respond service is installed and running on NetWitness.
  • NetWitness Endpoint 4.3.0.4, 4.3.0.5, 4.4, 4.4.0.2, or later is installed and running.

Configure NetWitness Endpoint to Forward NetWitness Endpoint Alerts

To configure NetWitness Endpoint to send alerts to Respond to the NetWitness user interface:

  1. In the NetWitness Endpoint user interface, click netwitness_configureicon_24x21.png (Configure) > Monitoring and External Components.

    The External Components Configuration dialog is displayed.

    netwitness_nwe_extcompconfig_576x359.png

  2. From the components listed, select Incident Message Broker and click + to add a new IM broker.

  3. Enter the following fields:

    1. Instance Name: Enter a unique name to identify the IM broker.
    2. Server Hostname/IP address: Enter the Host DNS or IP address of the IM broker (NetWitness Server).
    3. Port number: The default port is 5671.
  4. Click Save.
  5. Navigate to the ConsoleServer.exe.config file in C:\Program Files\RSA\ECAT\Server.

  6. Modify the virtual host configurations in the file as follows:
    <add key="IMVirtualHost" value="/rsa/system" />

    7. Note: In NetWitness 11.0 and 11.1, the virtual host is “/rsa/system”. For version 10.6.x and below, the virtual host is “/rsa/sa”.

  7. Restart the API Server and Console Server.

  8. To set up SSL for Respond Alerts, perform the following steps on the NetWitness Endpoint primary console server to set the SSL communications:

    1. Export the NetWitness Endpoint CA certificate to .CER format (Base-64 encoded X.509) from the personal certificate store of the local computer (without selecting the private key).

    2. Generate a client certificate for NetWitness Endpoint using the NetWitness Endpoint CA certificate. (You MUST set the CN name to ecat. Run cmd.exe console with Administrator rights.)

      makecert -pe -n "CN=ecat" -len 2048 -ss my -sr LocalMachine -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.2 -in "NweCA" -is MY -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -cy end -sy 12 c:\client.cer

      Note: In the previous code sample, if you upgraded to version 4.3 (or later) from a previous version and did not generate new certificates, you should substitute "EcatCA" for "NweCA".
      Or, if your current operating system has PowerShell version 5.1 or later, you can use the following code sample:

      PS C:\> New-SelfSignedCertificate -KeyExportPolicy Exportable -Subject "CN=ecat" -KeyAlgorithm RSA -KeyLength 2048 -CertStoreLocation "cert:\LocalMachine\My" -HashAlgorithm SHA256 -KeySpec KeyExchange -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.1") -Provider "Microsoft RSA SChannel Cryptographic Provider" -KeyUsage DigitalSignature, KeyEncipherment, KeyAgreement -Signer (Get-ChildItem -Path Cert:\LocalMachine\My\ -DnsName NweCA)-NotAfter (Get-Date).AddYears(5); Export-Certificate –Cert (Get-ChildItem –Path Cert:\LocalMachine\My\ -DnsName ecat) –FilePath C:\Client.cer

    3. Make a note of the thumbprint of the client certificate generated in step b. Enter the thumbprint value of the client certificate in the IMBrokerClientCertificateThumbprint section of the ConsoleServer.Exe.Config file as shown.

      <add key="IMBrokerClientCertificateThumbprint" value="896df0efacf0c976d955d5300ba0073383c83abc"/>

  9. On the NetWitness Server, copy the NetWitness Endpoint CA certificate file in .CER format into the import folder:

    /etc/pki/nw/trust/import

  10. Issue the following command to initiate the necessary Chef run:
    orchestration-cli-client --update-admin-node
    This appends all of those certificates into the truststore.

  11. Restart the RabbitMQ server:
    systemctl restart rabbitmq-server
    The NetWitness Endpoint account should automatically be available on RabbitMQ.

  12. Import the /etc/pki/nw/ca/nwca-cert.pem and /etc/pki/nw/ca/ssca-cert.pem files from the NetWitness Server and add them to the Trusted Root Certification stores in the Endpoint Server.

Troubleshooting

This section suggests how to resolve problems you may encounter when you configure NetWitness Endpoint alerts to Respond.

Known Issues Solutions
Orchestration fails on admin node. You must copy and paste the content of NweCA or EcatCA certificate in /etc/rabbitmq/ssl/truststore.pem and restart the Rabbitmq service.