Follow

Workflow violations are failing to trigger when DXL is configured

Issue

I have configured DXL integration in the rules.conf file and I am no longer able to trigger any violations.

Cause

This is caused by a misconfiguration that prevents a successful connection with McAfee DXL. When this occurs, the McAfee DXL client enters a retry loop which prevent the rest of the Workflow Engine from executing.

Resolution Steps

The following steps ensure the error is validated, the existing Workflow topology is killed, certificate file is re-uploaded, and the updated Workflow (rules.conf) is deployed successfully.

  • Verify error in Workflow/Storm logs
  • Kill Workflow topology
  • Re-upload ca.crt file to McAfee ePO server
  • Validate rules.conf
  • Deploy Workflow topology

NOTE: The ca.crt file will be needed that was used to generate the McAfee DXL keystore. If the file is not available, a new signed client certificate will need to be generated. Please refer to the Configure DXL section in the Interset 5.5.2 Installation and Configuration guide

Verify error in Workflow/Storm logs

  1. SSH to the MASTER (ANALYTICS) NODE as the Interset User
  2. Type in the following command to navigate to the storm log (/var/log/storm/workers-artifacts) directory:
    • cd /var/log/storm/workers-artifacts
  3. Type in the following command to list the files in the directory:
    • ls
  4. The output may be similar to the following:
    • Workflow_<TID>-1-1508867528
  5. Type in the following command to look for errors in the worker logs:
    • cat 6700/worker.log | grep ERROR
      • NOTE: Other logs may need to be investigated such as:
        • /var/log/storm/workers-artifacts/Workflow_mfe-1-1508867528/6701
  6. The output should be similar to the following:
    • 2018-01-31 14:11:03.295 c.m.d.c.i.DxlClientImpl [ERROR] Failed to connect to broker: {d79667ae-d005-11e5-246d-0050569ef00e} (ssl://172.18.0.173:8883): MqttException
    • 2018-01-31 14:11:03.297 c.m.d.c.i.DxlClientImpl [ERROR] Retrying connect in 1185 ms: MqttException (0) - javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca: MqttException: Received fatal alert: unknown_ca
  7. If step 4 returns nothing, please contact Interset Support (support@interset.com) for further assistance.

 Kill Workflow

  1. SSH to the MASTER (ANALYTICS) NODE as the Interset User.
  2. Type in the following command to kill Workflow:
    • /opt/interset/rules/bin/workflow.sh --kill /opt/interset/rules/conf/rules.conf
  3. The following output will indicate that Workflow has been killed:
    • [main] INFO a.s.c.kill-topology - Killed topology: Workflow_0

OPTIONAL:

  • To verify if Workflow is killed, please type in the following command to check the status of Workflow:
    • /opt/interset/rules/bin/workflow.sh --status/opt/interset/rules/conf/rules.conf
  • The command above should return no values and back to the bash prompt.

Re-upload ca.crt file to McAfee ePO server

  1. Open up a web browser and navigate to the McAfee ePO Web interface
  2. Sign in into McAfee ePO Web interface as an Admin.
  3. Click Server Settings > DXL Certificates, and then click Edit.
  4. In the Client Certificates section, select Import.
  5. Browse and select the ca.crt file.
  6. Click OK, and then click Save.

Validate rules.conf

  1. SSH to the MASTER NODE (Where analytics reside) as the Interset User
  2. Type in the following command to validate the Workflow (rules.conf) configuration:
    • /opt/interset/rules/bin/workflow.sh --validate /opt/interset/rules/conf/rules.conf
  3. During validation, prompts will appear that require input.  These prompts will vary as they are dependent on the options that are enabled/configured. For more information, please contact Interset Support (support@interset.com)
  4. Once all configurations are validated, please continue to the Deploy Workflow section.

Deploy Workflow

  1. SSH to the MASTER NODE (Where analytics reside) as the Interset User
  2. Type in the following command to deploy the updated Workflow rules.conf
    • /opt/interset/rules/bin/workflow.sh --deploy /opt/interset/rules/conf/rules.conf
  3. The output below indicates that Workflow (rules.conf) has been deployed successfully:
    • [main] INFO a.s.StormSubmitter - Finished submitting topology: Workflow_0
  4. Type in the following command to validate Workflow is ACTIVE:
    • /opt/interset/rules/bin/workflow.sh --status/opt/interset/rules/conf/rules.conf
  5. The output should be similar to the following:
    • Retrieving status of Workflow: Workflow_0 .....
    • Workflow_0           ACTIVE         139       4           5346

Workflow is now successfully deployed using the updated rules.conf.

Applies To

  • Interset 5.4.x or higher
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk