RSA Security Analytics

S4 Broker Setup Guide

Copyright 2010 - 2013 RSA, the Security Division of EMC. All rights reserved.
Trademarks
RSA, the RSA Logo and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other
trademarks used herein are the property of their respective owners. For a list of EMC trademarks, go to www.emc.com/legal/emc-corporation-trademarks.htm.
License Agreement
This software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and may be used and copied only in
accordance with the terms of such license and with the inclusion of the copyright notice below. This software and the documentation, and any copies thereof,
may not be provided or otherwise made available to any other person.
No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any unauthorized use or reproduction of
this software and the documentation may be subject to civil and/or criminal liability. This software is subject to change without notice and should not be
construed as a commitment by EMC.
Third-Party Licenses
This product may include software developed by parties other than RSA. The text of the license agreements applicable to third-party software in this product
may be viewed in the thirdpartylicenses.pdf file.
Note on Encryption Technologies
This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption technologies, and current use, import,
and export regulations should be followed when using, importing or exporting this product.
Distribution
Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. EMC believes the information in this
publication is accurate as of its publication date. The information is subject to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY
KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY
OR FITNESS FOR A PARTICULAR PURPOSE.

S4 Broker Setup Guide

S4 Broker Setup Guide

S4 Broker Setup Guide

SA Broker Hardware Description

Mount the Appliance and Configure Network Parameters

Finish Broker Setup in Security Analytics

15

Overview

S4 Broker Setup Guide

Overview
This document is a step-by-step guide for installing the RSA Security Analytics Broker and connecting it to your network.

2010 - 2013 RSA, The Security Division of EMC.

Overview

SA Broker Hardware Description

This topic contains the following sections:
1. Overview
2. Introduction
3. Package Contents
4. Customer Supplied Materials
5. Front View of the Broker
6. Rear View of the Broker
7. Broker Specifications

Overview
This document introduces the RSA Series 4 Broker and provides a description of controls and connectors along with
selected specifications.

Introduction
The RSA Security Analytics Series 4 Broker is shipped with Broker software installed. The initial setup of the Broker in
your network involves these steps:
1. Review site requirements and safety information.
2. Mount the Broker hardware.
3. Connect the Broker to your network and configure network parameters on the Broker.
4. Finish Broker setup in Security Analytics.

There are several options for the initial physical connection to the Broker to begin configuration of the software
parameters. Once connected, the Security Analytics appliance console is used to make those configuration changes. Each
step is described in detail in this document.
You can learn more about Security Analytics in the online documentation. To view Security Analytics documentation, log
on to Security Analytics and select the Help option in the Security Analytics menu.

Package Contents
Verify the contents of the packing box to ensure that you have received all items necessary to install and configure your
Broker.
Series 4 Broker appliance
Rail Slide Assemblies (2)
2010 - 2013 RSA, The Security Division of EMC.

Customer Supplied Materials

Power Cord (2)

Customer Supplied Materials

To complete the setup procedure, you will need:
One Ethernet network cable
Cables to connect a monitor or KVM adapter to the VGA port and a keyboard or KVM adapter to the USB port
Standard tools for installing and mounting computer hardware

Front View of the Broker

Key

Description

Diagnostic LEDs

System Identification Light

Power On/Off

Recessed non-maskable interrupt (NMI) button

System Identification Button

Micro USB port

Ten 2.5-inch hard drive bays. The Broker has two 146 GB drives and two 1 TB drives installed. There is also an
internal secure digital (SD) card module where two 32 GB cards are installed, and this is where the operating
system is installed by default.

Service Tag Details

2010 - 2013 RSA, The Security Division of EMC.

Rear View of the Broker

Rear View of the Broker

Key

Description

System Identification Button

System Identification Light

iDRAC Port

RS232 Serial Port (serial connection to laptop via DB9 or serial server)

VGA Video Port (monitor)

Network Interface cards slot: SAS Controller installed with two DAC interface ports for connecting to the disk
storage arrays.

Network Interface card expansion slots for optional cards. Possible options are:
7

Fiber/Copper 10Gbps network capture card (RJ45)

Fiber-channel host bus adaptor (HBA) used to connect to a SAN

USB Ports (Keyboard)

Gigabit Ethernet Port 1: em1 = management port.

10

Gigabit Ethernet Ports (2-4): em 2-4

11

Hot Swappable Power Supply 1 and 2

Broker Specifications
Form Factor

1U, full depth

Weight

39 lbs.

2010 - 2013 RSA, The Security Division of EMC.

Broker Specifications

Dimensions

18.99 (w) x 30.39 (d) x 1.68 (h)

Power supplies

Hot Swappable, redundant 750W,

100V to 240V autosensing

Processors

Dual hex core 2.66 GHZ

RAM

96 GB

2010 - 2013 RSA, The Security Division of EMC.

Overview

Mount the Appliance and Configure Network Parameters

This topic contains the following sections:
1. Overview
2. Introduction
3. Appliance Console via VGA Connection
4. Appliance Console via Network Connection
5. Set the IP Address
5.1. Set a Static IP
5.2. Set a Dynamic IP
6. Set the Hostname
7. Specify the Network Clock Source
8. Configure DNS Servers

Overview
This topic provides instructions for connecting a Security Analytics S4 appliance to your network and configuring initial
management parameters on the appliance.

Introduction
Before you begin network configuration, mount or place the appliance securely in accordance with site requirements.
Configuring network parameters for an RSA Security Analytics S4 appliance consists of setting the default IP address,
the network clock source, and the hostname, then configuring your DNS servers. To set these parameters, you can
connect to the appliance console using a keyboard and mouse or the Ethernet connection. In both cases, log on to the
appliance as root. Once able to log on to the appliance, use the NwConsole program to modify the appliance
management settings. Use the OS command line to configure DNS servers.
Method

Username Default Password

ssh/cli

root

netwitness

appliance

admin

netwitness

Choose one of these methods for the initial connection:

Appliance Console via VGA Connection: Keyboard (USB Port) and monitor (VGA Port).
Appliance Console via Network Connection: Computer using an SSH client connected to the appliance via Ethernet cable to Mgmt
Port (em1), which is configured as 192.168.1.1 by default.
2010 - 2013 RSA, The Security Division of EMC.

Appliance Console via VGA Connection

Appliance Console via VGA Connection

To use the Appliance Console via VGA connection:
1. Connect a monitor or KVM adapter to the VGA Port on the back of the appliance.

2. Connect a keyboard or KVM adapter to one of the USB ports on the back of the appliance.

3. Connect a power cord to each of the two power supplies on the rear of the appliance. Connect the power cords to a power source.
To provide a more robust setup, connect each power supply to a different circuit.

Caution:
5V standby power is active whenever the system is plugged in. To remove power from the system, you
must unplug both AC power cords from the power source
4. At the login prompt use the default credentials to gain access to the operating system (root/netwitness).
5. Continue to Set the IP Address section below.

Appliance Console via Network Connection

Caution: The default IP address of the appliance is set at the factory to 192.168.1.1. The use of 192.168.1.1 is
fairly common and the IP address may already be in your system's SSH known_hosts file. The specific line for
that IP address may need to be removed.
To use the Appliance Console via network connection:

2010 - 2013 RSA, The Security Division of EMC.

10

Set the IP Address

1. Connect an Ethernet cable between a computer and the Ethernet management port on the back of the appliance.

2. Connect the power cords to the power connectors on the appliance and a power receptacle.
3. The default IP address of the appliance is set at the factory to 192.168.1.1; therefore, set the IP address of the client system in the
same subnet. For example, set your laptop to 192.168.1.15 with default gateway of 192.168.1.1 and then using a secure shell (SSH)
client connect to the appliance.

Note: Be aware that if you change network parameters while connected through SSH, your SSH session will
be dropped and you will have to re-connect to the appliance at its new address.
4. Accept the SSH key.
5. At the login prompt use the default credentials to gain access to the operating system.
6. Continue to Set the IP Address section below.

Set the IP Address

Use one of the procedures below to set the management IP address on the appliance.

Set a Static IP
To set a static IP address:
1. At the root prompt: [root@NwAppliance~]#
enter the following command:
NwConsole
The NwConsole starts up and the following message is displayed:
RSA Security Analytics Console 10.2
Copyright 2001-2012, RSA Security Inc. All Rights Reserved.
2. In the NwConsole, enter the following command:
login localhost:50006 <adminusername> <password>
for example: login localhost:50006 admin netwitness
You are logged onto the appliance and the following message is displayed:
Successfully logged in as session <session #>
3. At the localhost prompt: [localhost:50006] />
enter the following command:
appliance setNet mode=static address=<desired IP address> netmask=<desired netmask>
gateway=<desired network gateway>
Example: To set the appliance em1 interface IP address to 10.1.2.35 for a class C network with gateway 10.1.2.1, execute the
following command:
appliance setNet mode=static address=10.1.2.35 netmask=255.255.255.0 gateway=10.1.2.1
The network services automatically restart on the appliance and the new settings are applied.

2010 - 2013 RSA, The Security Division of EMC.

11

Set the Hostname

4. If the appliance is connected via network connection, you will have to reconnect to appliance using the new IP address to continue.
If you moved the appliance to a new subnet, changes to client networking may also be required.
5. To logout and exit the NwConsole, type exit.

Set a Dynamic IP
To set a dynamic IP address:
1. At the root prompt: [root@NwAppliance~]#
enter the following command:
NwConsole
The NwConsole starts up and the following message is displayed:
RSA Security Analytics Console 10.2
Copyright 2001-2012, RSA Security Inc. All Rights Reserved.
2. In the NwConsole, enter the following command:
login localhost:50006 <username> <password>
You are logged onto the appliance and the following message is displayed:
Successfully logged in as session <session #>
3. At the localhost prompt: [localhost:50006] />
enter the following command:
appliance setNet mode=dhcp
4. The network services automatically restart on the device and the new settings are applied. If the appliance is

connected via network connection, you will have to reconnect to appliance using the new IP address to continue. If
you moved the appliance to a new subnet, changes to client networking may also be required.
Caution: If you choose DHCP, there may be no way to determine the new address. You must connect to
the appliance console directly to determine the new address.

Set the Hostname

Creating the hostname of the system is a relatively simple task, but can benefit from consideration to limit common
issues. If you are looking for some guidance to choosing a hostname, refer to the RFC 1178. In terms of Security Analytics
the databases on the appliances are associated to the hostname. If the collection or aggregation has started (this is why it
is not turned on by default) then the database is created and changing the hostname after that occurs effectively creates a
second database. The hostname should contain only alphanumeric characters (no special characters such as #, _, @, -)
to eliminate communication issues.
1. If still logged into NwConsole, then skip steps 2 and 3.
2. At the root prompt: [root@NwAppliance~]#
enter the following command:
NwConsole
The NwConsole starts up and the following message is displayed:
RSA Security Analytics Console 10.2
Copyright 2001-2012, RSA Security Inc. All Rights Reserved.
3. In the NwConsole, enter the following command:
login localhost:50006 <username> <password>
You are logged onto the appliance and the following message is displayed:
Successfully logged in as session <session #>
2010 - 2013 RSA, The Security Division of EMC.

12

Specify the Network Clock Source

4. At the localhost prompt: [localhost:50006] />

enter the following command:
appliance hostname name=<desired_name_for_appliance>
For example: appliance hostname name=myserver
5. When you see an output of Success, type exit to log out and exit the NwConsole program.
6. Reboot the server using command: reboot

Note: It is recommended that you reboot the system after changing the hostname.

Specify the Network Clock Source

Note: If the NTP server is not configured or reachable at this time, the network clock source configuration will fail,
but can be done from the SA interface later.

It is recommended that all systems in the Security Analytics suite be synchronized using a network time source so that
all devices accurately depict the same time. If this is not done then the time on the devices can get out of sync causing
queries for a specific time to not return the expected results.
Note: The commands in these instructions are case sensitive.

To set the network clock source:

1. If still logged into NwConsole, then skip steps 2 and 3.
2. At the root prompt: [root@NwAppliance~]#
enter the following command:
NwConsole
The NwConsole starts up and the following message is displayed:
RSA Security Analytics Console 10.2
Copyright 2001-2012, RSA Security Inc. All Rights Reserved.
3. In the NwConsole, enter the following command:
login localhost:50006 <username> <password>
You are logged onto the appliance and the following message is displayed:
Successfully logged in as session <session #>
4. At the localhost prompt: [localhost:50006] />
enter the following command:
appliance setNTP source=<NTP_server_hostname or IP_address>
For example: appliance setNTP source=0.pool.ntp.org
Or, if you want to use the appliance clock as a clock source, type: appliance setNTP source=local
5. When you see an output of Success from the command, type exit to log out and exit the NwConsole program.

Note: If you specified an NTP clock source of local, the appliance clock serves as the clock source and the
time is configured using Set Appliance Built-In Clock as described in Security Analytics online help.

2010 - 2013 RSA, The Security Division of EMC.

13

Configure DNS Servers

Configure DNS Servers

To set a static IP address:
1. At the root prompt: [root@NwAppliance~]#
enter the following command:
vi /etc/resolv.conf
2. Add the following lines to the file for each DNS server:

nameserver <DNS_server_ip_address>
search <domain_name>
where <DNS_server_ip_address> is the IP address of your DNS server, and
<domain_name> is the domain name
for example:
nameserver 192.168.0.1
search acmecorp.com
3. Save the changes and exit the vi editor.

2010 - 2013 RSA, The Security Division of EMC.

14

Overview

Finish Broker Setup in Security Analytics

This topic contains the following sections:
1. Overview
2. Introduction

Overview
This topic provides instructions for finishing Broker configuration and starting aggregation in Security Analytics.

Introduction
The final steps for setting up the Broker are done using Security Analytics. These are:
1. Add the Broker to Security Analytics in Devices view.
2. Apply a device license (or Entitlement) to the Broker.
3. Add one or more Concentrators to the Broker as aggregate devices.
4. Configure and start aggregation.

Several of these steps can be completed only when other parts of the Security Analytics network are in place:
At least one Concentrator and one Decoder service must be installed, licensed, configured, and capturing data to generate Meta
that the Broker can retrieve.
The Security Analytics device licenses (or Entitlements) must be available for activating the devices.

Log on to Security Analytics and follow instructions in the online help to finish setup of the Broker as part of the Security
Analytics suite.

2010 - 2013 RSA, The Security Division of EMC.

15

RSA Part Number: 6973A0