Troubleshooting issues encountered while using the product

This topic describes the issues that you might encounter while using the product.

• You cannot log on to the product because of site being unreachable
• You cannot log on to the product due to expired certificate in TrueSight Server Automation
• Filtering of search results can make it appear as though no results are returned
• Internet Explorer 11 experiences random timeouts
• Firefox truncating tooltips
• Error while importing a certificate into keystore
• Issues when auto mapping assets
• Issues when auto mapping vulnerabilities
• Dashboards showing inconsistent data for closed vulnerabilities
• Vulnerability automapping doesn’t show patches
• Vulnerability manual mapping does not show patches
• Actionable vulnerability doesn’t show vulnerability instances

You cannot log on to the product because of site being unreachable

Issue: An error message similar to the following one appears in the bsm.log file when you try to log on to the TrueSight Vulnerability Management GUI as a TrueSight Server Automation user:

Or,

An error message similar to the following one appears in the tssa-conenctor.log file when you try to log on to the TrueSight Vulnerability Management GUI as a TrueSight Server Automation user:

Or, 

An error message similar to the following one appears on the GUI when you try to log on to the TrueSight Vulnerability Management GUI as a TrueSight Server Automation user:

Similar errors messages could appear if you log on using a TrueSight Network Automation user or an SCCM user.

Reason 1: The site is not up and running.

Resolution 1: Ensure that the site you have chosen while logging on is up and running.

Reason 2: One or more of the following site details that you provided during installation are not correct.

• Host name
• Port number
• Protocol
• Admin role name

Resolution 2: Perform the following steps:

1. On the application computer, stop the application services:
   1. If not done, download and extract the TSVM<versionNo>-SM-LIN64.zip file to a temporary directory, /opt/smDownload.
   2. Navigate to the /opt/smDownload/truesight-sm directory.

   3. Run the following command:

      python truesight-sm.py stop --deployment application
2. Connect to the TrueSight Vulnerability Management database using any client database management tool, such as psql or pgAdmin GUI application.

3. Validate the following site details in the tn_defaultt<schemaName>.dcaportalsite table for the required site type:

   Success

   Tip

   You can use the following query to get the schemaName:

   select nspname from pg_catalog.pg_namespace where lower(nspname) like '%tn_defaultt%'

   Site details	Column name in the database table
   Host name	name, serverhost
   Port number	port
   Protocol	protocol Valid values are http and https.
   Admin role name	emsiteadminrolename
   Site type	emtype Valid values are BSA, BNA, and SCCM.

4. If any of the above details are incorrect, use the following query to update the table:

   update tn_defaultt<schemaName>.dcaportalsite set name = '<FQDNhostNameEndpointManager>', serverhost = '<FQDNhostNameEndpointManager>' port = '<portNumber>', protocol = '<protocol>' where emtype = '<siteType>'

   Warning

   Important

   Ensure that you provide the Fully Qualified Domain Name for the host in the name and serverhost columns.

   For example, if the host name for the TrueSight Server Automation site is incorrect, update it using the following query:

    update tn_defaultt3108.dcaportalsite set name = 'sys-dev01.calbro.com', serverhost = 'sys-dev01.calbro.com' where emtype = 'BSA';

5. Navigate to the /opt/smDownload/truesight-sm directory and run the following command to start the application services:

   python truesight-sm.py start --deployment application

   
   

Reason 3: Containers are not able to resolve DNS names that are present outside the Docker network.

Resolution 3: Perform the following steps:

1. On the application computer, validate whether from inside the containers, you are able to access that the Server Automation host:

   1. Navigate to the container:

      docker exec -it truesight-app-vulnerability-management-portal /bin/bash
   2. Run the following commands:
      1. ping <ServerAutomationHost>
      2. nslookup <ServerAutomationHost>
      3. telnet <ServerAutomationHost> <portNumber>
   3. If these commands are not successful, go to step 2.

2. Stop the Docker services: 

   systemctl stop docker.service

3. Navigate to the /opt/smDownload/truesight-sm directory and stop the application services:

   python truesight-sm.py stop --deployment application
4. On the application host, open the /etc/resolve.conf file with a text editor and note down the server names and IP addresses. 
5. Navigate to /etc/docker directory and open the /etc/docker/daemon.json file with a text editor.
   Create this file if it does not exist. 

6. Append the following entries to the file:

   {
         "dns": ["IPAddresss1", "IPAddress2", "IPAddress3"]    
   }

   Replace IP addresses with the ones you noted down in step 4. 

7. Start the docker services:

   systemctl start docker.service

8. Navigate to the /opt/smDownload/truesight-sm directory and start the application services:

   python truesight-sm.py start --deployment application
9. Validate whether you are able to log on to the TrueSight Vulnerability Management GUI as a TrueSight Server Automation user.

You cannot log on to the product due to expired certificate in TrueSight Server Automation

Issue

Invalid user credentials error message appears, when you try to log on to the TrueSight Vulnerability Management GUI as a TrueSight Server Automation user.

The bsm.log file shows a message similar to the following:

2019-10-28 21:11:21,649 [ERROR] BMC.API - [Thread=aa7ec30d-9065-4776-8edc-9108e26e911b::53e6a729-9ef6-4830-9fbc-018b9093e55b(54)] [Class=SaasBSARestClient:submitRest] [tenantID:1]- TSSA Rest API call failed. javax.net.ssl.SSLHandshakeException:::NotAfter: Mon Jan 01 07:56:36 GMT 2018

In addition, TrueSight Server Automation connector log file shows a message similar to the following:

[2019-11-13 18:38:39 GMT (ERROR) BSADEMConnector:55 ] [d54cf543-d8c1-412b-9ed6-ab8222e8d8fb::48d13d19-a710-498f-b401-fca4ebf21690]  -Request execution failed. javax.net.ssl.SSLHandshakeException: NotAfter: Mon Jan 01 07:56:36 GMT 2018

This error occurs due to expired self-signed certificate in TrueSight Server Automation.

Resolution

Regenerate the self-signed certificate, as described in To generate a self-signed certificate for an Application Server.

Filtering of search results can make it appear as though no results are returned

When you are searching for anything other than servers, only the first 100 results are returned from TrueSight Server Automation to TrueSight Vulnerability Management. If you have applied search filters, they may potentially exclude all 100 results, making it appear as though there are no results.

To confirm that you do have search results, temporarily clear filters.

Note that there are no restrictions to the number of results returned when searching for servers.

Internet Explorer 11 experiences random timeouts

At random moments an Internet Explorer 11 browser can fail to navigate and instead sends you back to the login page. A message says that the session has timed out.

To work around the problem:

1. Use Internet Explorer's security settings to add the TrueSight Vulnerability Management host as a trusted site.
2. Keep the Enable Protected Mode option unchecked.

Firefox truncating tooltips

When using the Firefox browser, tooltips should be able to display 256 characters but you may see the browser truncate the tooltip to approximately 65 characters.

Error while importing a certificate into keystore

When importing a certificate into a keystore, the following error occurs:

The error occurs when the issued certificate does not match with the key in your keystore. This can be due to one of the following reasons:

• The alias name that was used when the keystore was created does not match the alias name being used when importing. In such as case, ensure sure that the alias name used on the import is the same as what was used to generate the keystore.
• The keystore where the certificates are being imported to is not the keystore that was used to generate the CSR. The Comodo certificates can only be imported into the keystore that was used to generate the certificate request. In such a case, locate the correct keystore and run the import again.

Issues when auto mapping assets

The following issues could occur when trying to automap assets:

• Asset auto-mapping does not happen during import
• Asset auto-mapping does not happen from the Assets page with the following message: 0 assets are auto mapped.

Resolution

To resolve the issues, perform the following steps:

1. In the bsm.log file, check the occurrence of the 'ContentAcquisition-Thread' and then check for any errors in the thread.
2. If you see any errors, log on to the application again, content acquisition thread will be triggered execute again.
3. Monitor the thread again in the bsm.log file and see if the content acquisition thread is running.  

Issues when auto mapping vulnerabilities

The following issues could occur when trying to automap vulnerabilities:

• Vulnerability auto-mapping does not happen during import
• Vulnerability auto-mapping does not happen from the Vulnerabilities page with the following message: 0 endpoint were auto-mapped successfully.

This issue might occur if the vulnerability management scan file is not populated properly.

Resolution

Before you import a scan file, ensure that the vulnerabilities are associated with CVE IDs in the scan file, as follows:

• In a Nessus scan file exported from the scanner, ensure that the <cve> element under the ReportItem element is populated with CVE ID, as shown in the following example:
  <ReportItem pluginID="70322" pluginName=”” …><cve>CVE-2013-5472</cve>
  
• In a Qualys scan file file exported from the scanner, ensure that cveid attribute of the VULN element is populated with CVE ID, as shown in the following example:
  <VULN number="122474" severity="3" cveid="CVE-2014-3560">
  
• In a Rapid7 scan file exported from the scanner, ensure that the reference element under the vulnerability element is populated with CVE ID, as shown in the following example:
  <vulnerability …> <reference source="CVE">CVE-2014-3596</reference></vulnerability>

After the import, ensure that the CVE column on the Vulnerabilities page shows the associated CVE IDs.

Dashboards showing inconsistent data for closed vulnerabilities

The following inconsistencies can occur when data is reported on the TrueSight Vulnerability Management dashboards:

• When a server is unmapped, vulnerabilities associated with that server that have been remediated continue to show up as closed.
• When a vulnerability has been remediated but afterwards the vulnerability is excluded, data for that vulnerability continues to appear in the Closed stage even though the corresponding CVE number no longer seems to be included in the dashboard's data.

Vulnerability automapping doesn’t show patches

To resolve the issue, perform the following steps:

1. In the bsm.log file, check the occurrence of the 'ContentAcquisition-Thread' and then check for any errors in the thread.
2. If you see any errors, log on to the application again, content acquisition thread will be triggered execute again.
3. Monitor the thread again in the bsm.log file and see if the content acquisition thread is running.  

Vulnerability manual mapping does not show patches

Manual mapping is supported only for BLPackages, Component Templates, and NSH script in TrueSight Server Automation.

Actionable vulnerability doesn’t show vulnerability instances

Actionable vulnerability doesn’t show vulnerability instances even though both asset and vulnerability are mapped.

Actionable vulnerabilities show only those instances that are uniquely identified to be ready to be remediated. If vulnerability is auto-mapped, check all the mapped content and corresponding target rules to ensure that at least one content is uniquely identifiable for the server.