Skip to content
  • There are no suggestions because the search field is empty.

NetWitness Unable to Access the Admin Server UI due to missing CA Certificates in truststore.pem file on NetWitness Platform

Issue

Unable to access the Admin Server UI. "Unknown ca" SSL HandshakeException appears in the sa.log due to missing CA certificates in the truststore.pem file.

Cause

The Admin Server UI is inaccessible due to the following CA certificates missing in the truststore PEM file ( /etc/pki/nw/trust/truststore.pem):
  • /etc/pki/nw/ca/nwca-cert.pem
  • /etc/pki/nw/ca/ssca-cert.pem
The following exceptions or errors are seen in the specified logs:

Error Message 1
javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca
Logs
  • /var/netwitness/uax/logs/sa.log
  • /opt/rsa/sms/logs/sms.log


Error Message 2
Federation exchange 'carlos.xx.xx.xx' in vhost '/rsa/system' did not connect to exchange 'carlos.xx.xx.xx' in vhost '/rsa/system' on amqps://<node-x-ip>:5671 {error,{tls_alert,"unknown ca"}}
Logs
  • /var/log/rabbitmq/rabbit@ .log


Error Message 3
[MessageListenerContainer-17593] ERROR c.r.a.l.e.t.LaunchMessageListenerContainer|Failed to check/redeclare auto-delete queue(s). org.springframwork.amqp.AmqpIOException: javax.net.ssl.SSLException: Fatal Alert received: {48}

Logs
  • /var/log/netwitness/admin-server/admin-server.log
  • /var/log/netwitness/config-server/config-server.log
  • /var/log/netwitness/orchestration-server/orchestration-server.log
  • /var/log/netwitness/security-server/security-server.log


Resolution

To regenerate the missing certificates and access the Admin Server UI, perform the following steps.

 
  1. Move the existing truststore PEM files at /etc/pki/nw/ to a different location.
mkdir -p /tmp/truststore.bkp
mv /etc/pki/nw/trust/truststore.pem /etc/pki/nw/trust/truststore.pem.idx /tmp/truststore.bkp
 
  1. Run chef recipe: [nw-pki:truststores] to regenerate the truststore PEM files.
chef-client -z -c /var/netwitness/config-management/client.rb -r 'recipe[nw-pki::truststores]'
 
  1. Verify if the nwca-cert.pem and the ssca-cert.pem certificates are available in the newly generated truststore.pem.idx file
[root@adminserver]# cat /etc/pki/nw/trust/truststore.pem.idx
/etc/pki/nw/ca/nwca-cert.pem
/etc/pki/nw/ca/ssca-cert/pem
 
  1. Restart the RabbitMQ service.
systemctl restart rabbitmq-server
 
  1. Login to the Admin server's UI.

Product Details

NetWitness Product Set: NetWitness Platform
NetWitness Product/Service Type: Admin Server (UI)
NetWitness Version/Condition: 12.x
Platform: CentOS / AlmaLinux
O/S Version: 7 / 8.9

Approval Reviewer Queue

Technical approval queue