Certificates disappear from the RSA SA GUI, but still available on the LogDecoder.

Hello RSA Admins,

while I am try to upload a certificate in my Lab, I noticed that the Certificates disappear from the SA GUI suddenly, but still available on the LogDecoder.

Most likely, this will happen if we uploaded a certificate to the RSA LogDecoder/Collector, that has the “subject” field empty when it was originally generated from the certificate authority. Uploading such certificates will mess up the SA appliance GUI, any new uploaded certificate will not apeare on the GUI, and deleting these certificates from the LogDecoder/Collector appliance using the CLI will not help, or solve the problem, as these certificates will remain existed on the system in a deferent path that you will not find easily, the best practice is to delete it from the LogDecoder/Collector using the GUI commands” this way will delete it from the system completely, as discussed below” not the CLI commands.

If it is happened and you deleted it using the CLI, follow the below step-by-step to solve this issue.

By the way, RSA says it’s a bug in the system and it was solved in new releases starting from 10.5.2, and if you were standing on a previous versions and tried to upgrade the system to a new versions hoping this will solve the problem, please do not do it as you will waste your time 😉

First of all, I will show you that if the system is infected, the new uploaded certificates will not appear in the GUI but still available on the system.

And here is the error you will get if you tail  the /var/log/messages

Caused by: com.rsa.netwitness.carlos.transport.TransportException: No such node (certs).

  1. Go to Administration -> Services -> Log Collector -> View -> Config. To upload the new certificate.1 go to administration
  2. Go to Settings -> Certificates.2 go to settings

3- Select + Add Cert:

3 select + add cert

4- Browse and select your new cert:

4 Browse and select

5- Save, and as you can see it give you “Certificate was added successfully” but does not appear on the GUI ;).

5 save and

6- If you noticed, the system is on the new version 10.6 and it’s not there, coz the system is already infected.

6 if you noticed

7- All uploaded certificates are stored in /etc/netwitness/ng/truststore/ on the logcollector.

7 all uploaded

If you do not know which one is the wrong certificates and you deleted all these certificates, using the CLI, this will not help, and you must know the certificate name in order to delete it from the GUI.

Anyway here is the path of the certificates that messed up the system.

8- at /etc/netwitness/ng/logcollector/runtime/certificatemap

8 cat

9-now as we find the certificate and its name. we should delete it correctly from the GUI, to do so, follow below steps.“op=delete name=amin” and Send.It will show you in the Response Output that the user admin has deleted certificate ‘amin.’ o to Administration -> Services -> Log Collector -> View -> Explore -> logcollection -> Properties for logdecoder – Log Collector, and select “certmgmt” and in the Parameters type:

9

10- Now check out the path again, there will be no certificate. 😉

10

11- Do this before: stop nwlogcollector / start nwlogcollector

11

12- Stop/start jettysrv on the SA appliance.

12

13- now upload a new certificate, and it will be there for you my friend.

13

14- enjoy it 😉

14

About Blogger …

Amin Khalil (VMware VCP-DCV, VCPC, VTSP, RSA Security Analytics)

Amin Khalil (VMware VCP-DCV, VCPC, VTSP, RSA Security Analytics)

Amin Khalil is a Technology Expert Engineer and publisher at AzureDummies blog. He also hold many certificates in VMWARE, RSA Security, EMC and Dell.
Amin is currently working in Specialized Technical Services Company (STS).

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *