Skip to content
  • There are no suggestions because the search field is empty.

NetWitness Host Upgrade fails when custom certificates are added to truststore.pem file

Issue

  1. When an upgrade is attempted for a node-x or node-zero with custom certificates placed at the beginning of /etc/pki/nw/trust/truststore.pem, the chef run fails with the below error.
    /var/netwitness/config-management/chef-solo.log:
    [2021-07-04T09:05:17+00:00] FATAL: No valid NW hosts data was available, aborting
  2. Running orchestration-cli-client --list-hosts on the node failing the upgrade shows the following error.
    2021-07-04 09:07:07.431 ERROR 31131 --- [ main] c.r.client.impl.SocketFrameHandler : TLS connection failed: Certificate signature validation failed
    2021-07-04 09:07:07.461 ERROR 31131 --- [ main] c.r.n.i.o.c.OrchestrationApplication : Application startup failed

    org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'jobMessageListenerContainer' defined in class path resource [com/rsa/netwitness/infrastructure/orchestration/client/OrchestrationConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.amqp.rabbit.listener.SimpleMessageListenerContainer]: Factory method 'jobMessageListenerContainer' threw exception; nested exception is org.springframework.amqp.AmqpIOException: javax.net.ssl.SSLHandshakeException: Certificate signature validation failed

Cause

This issue is due to custom certificate details in /etc/pki/nw/trust/truststore.pem.

Resolution

Please apply the below steps on the Node where errors appearing.
  1. Login to the host via SSH.
  2. Stop rabbitmq-server service using systemctl stop rabbitmq-server command.
  3. Backup /etc/pki/nw/trust/truststore.pem using cp /etc/pki/nw/trust/truststore.pem /root/ command.
  4. Run the below comand to prepend the correct ca to the truststore:
    cat /etc/pki/nw/ca/nwca-cert.pem | cat - /etc/pki/nw/trust/truststore.pem > /tmp/out && mv -f /tmp/out /etc/pki/nw/trust/truststore.pem
     
  5. Verify that orchestration-cli-client --list-hosts is now running successfully on the host
  6. Start the rabbitmq-server service: systemctl start rabbitmq-server


Product Details

NetWitness Product Set: NetWitness Platform
NetWitness Product/Service Type: NetWitness Logs & Packet
NetWitness Version/Condition: 11.x, 12.x
Platform: CentOS / AlmaLinux
O/S Version: 7 / 8.9

Summary

This document outlines the procedure to update NetWitness hosts.


Approval Reviewer Queue

Technical approval queue