.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Issue
When the NWArrayConfig script is run on NetWitness appliances with attached PowerVault storage that contains self-encrypting drives (SED)s, the script fails to prompt the user to encrypt the drives. The drives appear to be configured but no message to self-encrypt was provided. Since no prompt was displayed during the NWArrayConfig script execution, the Self-Encrypting Drives were not set to encrypt data.This is a known issue and the fix will be in future releases of the NetWitness product.
Tasks
Until the fix is added into the NetWitness product by default, follow the steps below:
Installing new RPM packages
- To extract and install the rsa-sa-tools-11.2.0.0-Powervault.zip file attached to this article, execute the following commands:
unzip rsa-sa-tools-11.2.0.0-Powervault.zip /tmp
cd /tmp
yum update ./rsa-sa-tools-11.2.0.0-1808301802.5.941817f.noarch.rpm
cd /tmp
yum update ./rsa-sa-tools-11.2.0.0-1808301802.5.941817f.noarch.rpm
- To extract and install the perccli_7.1-007.0127_linux.tar.gz file attached to this article, execute the following commands:
gunzip perccli_7.1-007.0127_linux.tar.gz
tar -xvf perccli_7.1-007.0127_linux.tar
rpm -Uvh perccli_7.1-007.0127.noarch.rpm
tar -xvf perccli_7.1-007.0127_linux.tar
rpm -Uvh perccli_7.1-007.0127.noarch.rpm
Resolution
Before running the NwArrayConfig script again the PowerVault storage will need to be manually broken down to allow the new script to run correctly. Please review the sections below that correspond to the appliance type that needs reset. If there are any concerns about proceeding with the resetting of the storage, stop and contact RSA NetWitness Support for further assistance.Once the appliance storage has been reset follow the original hardware setup guide for setting up PowerVault storage. You should now receive a prompt for encrypting the drives during setup.
Resetting a Decoder Appliance
The following procedure will reset a decoder appliance back to its pre-Powervault configuration state. This does not reset any NetWitness/Security Analytics configuration files. The below instructions are for a Network Decoder. If you have a Log Decoder change out any reference to decoder with logdecoder.- SSH into the appliance with the broken Powervault setup.
- If the sosreport was ran on the appliance before the Powervault configuration began, retrieve the lvscan, vgscan and pvscan files from the tar.gz that was created. Compare these files to the results from the next steps. By examining the results it should be straightforward where the script stopped. Skip ahead to the step where the output files and command output does not match.
- Run lvscan and find any devices that contain decoder and decodersmall.
# lvscan
Example output:
ACTIVE '/dev/decodersmall/decoroot' [30.00 GiB] inherit
ACTIVE '/dev/decodersmall/decoinde' [10.00 GiB] inherit
ACTIVE '/dev/decodersmall/decosess' [250.00 GiB] inherit
ACTIVE '/dev/decodersmall/decometa' [3.35 TiB] inherit
ACTIVE '/dev/decoder/decopack' [12.73 TiB] inherit
ACTIVE '/dev/decodersmall/decoinde' [10.00 GiB] inherit
ACTIVE '/dev/decodersmall/decosess' [250.00 GiB] inherit
ACTIVE '/dev/decodersmall/decometa' [3.35 TiB] inherit
ACTIVE '/dev/decoder/decopack' [12.73 TiB] inherit
- Run lvremove against all logical volumes that were discovered in the previous step.
If an error about the logical volume being busy appears this means the logical volume is mounted by the OS. Use umount
- Run lvremove against all logical volumes that were discovered in the previous step.
If an error about the logical volume being busy appears this means the logical volume is mounted by the OS. Use umount
# lvremove /dev/decodersmall/decometa
# lvremove /dev/decodersmall/decoroot
# lvremove /dev/decodersmall/decoinde
# lvremove /dev/decodersmall/decosess
# lvremove /dev/decoder/decopack
# lvremove /dev/decodersmall/decoroot
# lvremove /dev/decodersmall/decoinde
# lvremove /dev/decodersmall/decosess
# lvremove /dev/decoder/decopack
- Run vgscan and find any groups that contain concentrator or index.
# vgscan
Example output:
Found volume group "decodersmall" using metadata type lvm2
Found volume group "decoder" using metadata type lvm2
Found volume group "decoder" using metadata type lvm2
- Run vgremove against all volume groups that were discovered in the previous step.
# vgremove decodersmall
# vgremove decoder
# vgremove decoder
- Run pvscan and find any physical volumes that have no VG names associated.
# pvscan
Example output:
PV /dev/sdb VG lvm2 [3.64 TB / 0 free]
PV /dev/sda VG lvm2 [12.73 TB / 0 free]
Total: 3 [12.42 TB] / in use: 3 [12.42 TB] / in no VG: 0 [0 ]
PV /dev/sda VG lvm2 [12.73 TB / 0 free]
Total: 3 [12.42 TB] / in use: 3 [12.42 TB] / in no VG: 0 [0 ]
- Run pvremove against all physical volumes that were discovered in the previous step.
# pvremove /dev/sdb
# pvremove /dev/sda
# pvremove /dev/sda
- Run the nwraidutil.pl script and look at its output. It can be determined what virtual drives need to be destroyed. Use the enclosure number under the physical section to find the virtual drives associated with the enclosures. Use the following as an example
Notes:
- Adapter 0: This shows the adapter that contains the virtual disks underneath it.
- Virtual Disk 0: This is the first virtual disk on Adapter 0.
- Virtual Disk 1: This is the second virtual disk on Adapter 0.
- Enclosure 8: This is the physical enclosure number that can be found under the physical layout section.
- Using the information retrieved from the previous step, run the following PercCli command to break the virtual drives.
# /opt/MegaRAID/Perc/percli64 /cx/vx del force
Notes
- There is no space between the /cx and /vx options
- Change the x in /cx to the Adapter number, which for our example is 0
- Change the x in /vx to the Virtual Disk number, which for our example is either 0 or 1. If you want to remove all virtual disks on the adapter use /vall
Example output:
# /opt/MegaRAID/Perc/percli64 /c0/vall del force
- Once the virtual drives are destroyed the appliance is back to its default, out of the box, configuration.
Resetting a Concentrator Appliance
The following procedure will reset a concentrator appliance back to its pre-Powervault state. This does not reset any NetWitness/Security Analytics configuration files. These steps may vary slightly do to different versions of creation scripts.- SSH into the appliance with the broken Powervault setup.
- If the sosreport was run on the appliance before the powervault configuration began, retrieve the lvscan, vgscan and pvscan files from the tar.gz that was created. Compare these files to the results from the previous step. By examining the results it should be straightforward where the script stopped. Skip ahead to the step where the output files and command output does not match.
- Run lvscan and find any devices that contain concentrator or index in them.
# lvscan
- Run lvremove against all logical volumes that were discovered in the previous step.
# lvremove /dev/concentrator/metadb
# lvremove /dev/index/index
# lvremove /dev/concentrator/sessiondb
# lvremove /dev/concentrator/root
If an error about the logical volume being busy appears this means the logical volume is mounted by the OS. Use umount
# lvremove /dev/index/index
# lvremove /dev/concentrator/sessiondb
# lvremove /dev/concentrator/root
- Run vgscan and find any groups that contain concentrator or index.
#
vgscan
Example output:
Found volume group "index" using metadata type lvm2
Found volume group "concentrator" using metadata type lvm2
Found volume group "concentrator" using metadata type lvm2
- Run vgremove against all volume groups that were discovered in the previous step.
# vgremove concentrator
# vgremove index
# vgremove index
- Run pvscan and find any physical volumes that have no VG names associated.
# pvscan
Example output:
PV /dev/sdc VG lvm2 [1.36 TB /0 free]
PV /dev/sdd VG lvm2 [10.91 TB /0 free]
PV /dev/sdd VG lvm2 [10.91 TB /0 free]
- Run pvremove against all physical volumes that were discovered in the previous step.
# pvremove /dev/sdc
# pvremove /dev/sdd
# pvremove /dev/sdd
- Run the nwraidutil.pl script and look at its output. It can be determined what virtual drives need to be destroyed. Use the enclosure number under the physical section to find the virtual drives associated with the enclosures. Use the following as an example.
- Adapter 0: This shows the adapter that contains the virtual disks underneath it.
- Virtual Disk 0: This is the first virtual disk on Adapter 0.
- Virtual Disk 1: This is the second virtual disk on Adapter 0.
- Enclosure 8: This is the physical enclosure number that can be found under the physical layout section.
- Using the information retrieved from the previous step, run the following Percli command command to break the virtual drives.
# /opt/MegaRAID/Perc/percli64 /cx/vx del force
- There is no space between the /cx and /vx options
- Change the x in /cx to the Adapter number, which for our example is 0
- Change the x in /vx to the Virtual Disk number, which for our example is either 0 or 1. If you want to remove all virtual disks on the adapter use /vall
Example Output:
# /opt/MegaRAID/Perc/percli64 /c0/vall del force
- Once the virtual drives are destroyed the appliance is back to its default, out of the box, configuration.
Product Details
RSA Product Set: NetWitness Logs & NetworkRSA Product/Service Type: Security Analytics Server
RSA Version/Condition: 11.2.0.0.1
Platform: CentOS
O/S Version: 7
Summary
When the NWAarayConfig script is run on an appliance with PowerVault storage that includes self-encrypting drives (SED)s, there is no prompt presented to encrypt the drives.
Approval Reviewer Queue
Technical approval queue