DX Infrastructure Manager

Expand all | Collapse all

Problem drilling into NFA on Windows 2008 from UIM 8.31

Jump to Best Answer
  • 1.  Problem drilling into NFA on Windows 2008 from UIM 8.31

    Posted 09-17-2015 02:36 PM

    I am seeing a problem with how the product works when installed in the following configuration:

     

    NFA 9.3.2 (upgrade installation) on Windows 2008r2  (tried a second time with the same results on a refreshed installation)

     

    From the UI:

     

    An unknown error has occurred.

    Refreshing your browser may resolve the issue.

     

    Details:

    com.firehunter.ump.exceptions.DataFactoryException : Unable to register user with NFA

     

    Stack Trace:

    java.lang.Exception: Unable to register user with NFA

     

    This is what I get in the nfa_inventory.log:

     

    Sep 17 13:51:10:645 [attach_socket, nfa_inventory] Attempting to locate an existing user for administrator

    Sep 17 13:51:10:665 [attach_socket, nfa_inventory] **** NFA API URI: http://###.###.###.###:80/ReporterDataSource/UserAndGroupMappingWS.svc/FindUser

    Sep 17 13:51:10:931 [attach_socket, nfa_inventory] HTTP request to NFA status line: HTTP/1.1 200 OK

    Sep 17 13:51:10:933 [attach_socket, nfa_inventory] **** NFA API URI: http://###.###.###.###:80/ReporterDataSource/UserAndGroupMappingWS.svc/FindRole

    Sep 17 13:51:10:969 [attach_socket, nfa_inventory] HTTP request to NFA status line: HTTP/1.1 200 OK

    Sep 17 13:51:10:973 [attach_socket, nfa_inventory] **** NFA API URI: http://###.###.###.###:80/ReporterDataSource/UserAndGroupMappingWS.svc/CreateRole

    Sep 17 13:51:11:178 [attach_socket, nfa_inventory] HTTP request to NFA status line: HTTP/1.1 200 OK

    Sep 17 13:51:11:179 [attach_socket, nfa_inventory] **** NFA API URI: http://###.###.###.###:80/ReporterDataSource/UserAndGroupMappingWS.svc/FindPermissionSet

    Sep 17 13:51:11:209 [attach_socket, nfa_inventory] HTTP request to NFA status line: HTTP/1.1 200 OK

    Sep 17 13:51:11:210 [attach_socket, nfa_inventory] Unable to locate or create permission set for user registration.

     

    I am able to get this working without issue on the following:

     

    NFA 9.3.2 (fresh installation) on Windows 2012

     

    This is from the 2012 machine with the additional query made:

     

    Sep 16 18:13:06:347 [attach_socket, nfa_inventory] Attempting to locate an existing user for administrator

    Sep 16 18:13:06:358 [attach_socket, nfa_inventory] **** NFA API URI: http://###.###.###.###:80/ReporterDataSource/UserAndGroupMappingWS.svc/FindUser

    Sep 16 18:13:06:658 [attach_socket, nfa_inventory] HTTP request to NFA status line: HTTP/1.1 200 OK

    Sep 16 18:13:06:659 [attach_socket, nfa_inventory] **** NFA API URI: http://###.###.###.###:80/ReporterDataSource/UserAndGroupMappingWS.svc/FindRole

    Sep 16 18:13:06:687 [attach_socket, nfa_inventory] HTTP request to NFA status line: HTTP/1.1 200 OK

    Sep 16 18:13:06:689 [attach_socket, nfa_inventory] **** NFA API URI: http://###.###.###.###:80/ReporterDataSource/UserAndGroupMappingWS.svc/CreateRole

    Sep 16 18:13:06:823 [attach_socket, nfa_inventory] HTTP request to NFA status line: HTTP/1.1 200 OK

    Sep 16 18:13:06:825 [attach_socket, nfa_inventory] **** NFA API URI: http://###.###.###.###:80/ReporterDataSource/UserAndGroupMappingWS.svc/FindPermissionSet

    Sep 16 18:13:06:869 [attach_socket, nfa_inventory] HTTP request to NFA status line: HTTP/1.1 200 OK

    Sep 16 18:13:06:871 [attach_socket, nfa_inventory] Unable to locate any existing interface groups for the supplied origins - interface group mapping may not have completed yet.

    Sep 16 18:13:06:872 [attach_socket, nfa_inventory] **** NFA API URI: http://###.###.###.###:80/ReporterDataSource/UserAndGroupMappingWS.svc/AssignUserPermissions

    Sep 16 18:13:06:901 [attach_socket, nfa_inventory] HTTP request to NFA status line: HTTP/1.1 200 OK

     

    Note:

    Neither NFA configuration was ever registered to CAPC or NPC.

    The same UIM installation was used to test both (not at the same time).

    The user was duplicated on both NFA installations as it exists on UIM.

    Probe was installed on each NFA machine, but only one at a time (when one was being tested the other had the probe uninstalled, and the machine was not present in IM).

    Data was viewable in UMP during testing of each NFA installation (required to have the ability to drill out).

    Both NFA installations are Standalone.



  • 2.  Re: Problem drilling into NFA on Windows 2008 from UIM 8.31
    Best Answer

    Posted 09-21-2015 10:35 PM

    This can happen with an upgrade installation from 9.2.1 to 9.3.2. The following MySQL query on the NFA Console will fix the problem:

     

    use reporter

    update groups set itemdesc='Includes every group and item type defined within Network Flow Analysis.' where itemname='All Groups';



  • 3.  Re: Problem drilling into NFA on Windows 2008 from UIM 8.31

    Posted 09-23-2015 02:21 PM

    Nice Chris, I ran into the same error, but because I tried to add CAPC to NFA while UIM was integrated to see how it would work.

    I confirmed adding CAPC or NPC to an environment where UIM is installed is officially not supported, but I have already seen a handful of people do it in the field and run into problems. Even after deleting NFA as a data source from CAPC the problem remained.

     

    When you drill down from NFA to UIM, it triggers queries like the ones below to run on the NFA console.

    If one of or these doesn't return a result or returns more then one result it will cause UIM to throw the error above.

     

    • select RoleID,    Name,    Description,    Enabled         from role_definitions    where Name = 'Administrator' and Description = 'Administrator';

     

    • select g.GroupID,    g.ItemName,    g.ItemDesc,    g.PermissionSet,    g.DatasourceRoot,    g.AutomaticGroupDefinitionId,    g.AutomaticGroupInstanceName,    g.MemberCount from groups g  where g.PermissionSet = 'Y' and ItemName = 'All Groups' and ItemDesc = 'Includes every group and item type defined within Network Flow Analysis.';

     

     

    In my case, I was using the account named 'Administrator' which had an 'Administrator' role tied to it.

    This worked fine before adding NFA to CAPC.  Once added to CAPC, which again is unsupported, it changed the description of the 'Administrator' role from 'Administrator' as defined in UIM, to something else.  So the first query above would not return any results and the error would be thrown in UIM when trying to drill out to NFA.

     

    I edited this role description in NFA to correct that part of the problem.

     

    The other problem was with the groups table as you mentioned in your Solution, as the 'All Groups' row had an Item description referencing ReporterAnalyzer instead of Network flow analysis.   I updated it with your query:

        mysql reporter

        update groups set itemdesc='Includes every group and item type defined within Network Flow Analysis.' where itemname='All Groups';

     

    Last we found that two groups with the itemname "All Groups" were created in NFA when added to CAPC, which caused the second query above to fail.

    To correct this we had to update the 'itemdesc' on one of the rows to be slightly different then the other.

     

    This allowed me to drill out of UIM into NFA without issue.