Environment
McAfee ePolicy Orchestrator (ePO)
5.9.1
Problem
The ePO Agent Handler certificate is
not regenerated when activating the new certificate during the certificate
migration process described in
KB87017. Because of this
failure, the Agent Handler shuts down and agents cannot communicate with the
ePO server.
Server.log records the following
errors:
20171204160517 E #00344 MCUPLOAD
SecureHttp.cpp(694): Failed to send HTTP request to server
<servername> for command name epo.command.isAgentHandlerCertValidCmd on
port 8444. (error=12175)
20171204160517 E #00344 MCUPLOAD
SecureHttp.cpp(883): Failed to process the secure communication request
(error=12175)
20171204160517 E #00344 NAIMSERV
servinit.cpp(633): The agent handler certificate check failed. This
means that there is a discrepancy between the certificates stored
20171204160517 E #00344 NAIMSERV in the server keystore and the certificate
used by this agent handler. This will cause communication failures with
20171204160517 E #00344 NAIMSERV any
agents connecting to this agent handler, shutting down the Agent Handler.
20171204160517 I #00344 NAIMSERV
Shutting down server...
.
.
.
.
.
20171204155758 I #04768 AHSETUP Using
existing certificate files found in C:/Program Files (x86)/McAfee/ePolicy
Orchestrator/Apache2\conf\ssl.crt\
The orion log might contain an error
similar to the following:
services.EPOAgentHandlerCertService
- Failed to verify ahCert by caAhCert
java.security.SignatureException: Certificate
verify failed!
System
Change
Upgraded ePO 5.x to 5.9.1, and then
followed the certificate migration process described in
KB87017.
Cause
The Agent Handler regenerates its
certificate during the migration process described in
KB87017. This issue occurs
when the Agent Handler reuses the existing certificate instead of generating a
new one, which causes agent-server communication to fail.
Solution
This issue is expected to be resolved
in ePO 5.10, which does not yet have an anticipated release date.
Any future product functionality or releases mentioned in the Knowledge Base,
are intended to outline our general product direction. Do not rely on them as a
commitment or when you make purchasing decisions.
Solution
Apply ePO 5.9.1 Hotfix 1226775. Hotfix
1226775 prevents the issue from occurring; if the issue has already occurred,
the hotfix does not resolve the issue.
CAUTION:
Do not apply ePO 5.9.1 Hotfix 1226775
if you manage one or more McAfee Agent 4.8 clients in the environment. In these
environments, Hotfix 1226775 can cause policy enforcement issues. McAfee will
repost ePO 5.9.1 Hotfix 1226775 with a fix for the McAfee Agent 4.8 policy
enforcement issue soon. Until the hotfix is reposted, use the workaround that
follows. If you already applied the hotfix, and you are managing McAfee
Agent 4.8 clients, contact Technical Support and reference KB90182 for
instructions.
If you are a registered user,
type your User Id and Password, and then click Log In.
If you are not a registered user,
click Register and complete the required fields. Your password and
logon instructions will be emailed to you.
To receive email notification when
this article is updated, click Subscribe on the right side of the page.
You must be logged on to subscribe.
If you already have the issue
described in this article, continue to the Workaround section that follows.
Also, the hotfix does not help you if you have already started the migration
process. You either have to cancel the migration, or on completion of the
migration, follow the steps in the Workaround section below.
NOTE:
You need a valid Grant Number for access.
KB56057 provides additional
information about the Product Downloads site, and alternate locations for some
products.
Workaround
IMPORTANT:
This workaround is intended for use only in
cases where the issue described in this article has already occurred.
Any solution included in future product releases will prevent the issue from
occurring, but it does not address the issue if it has already occurred.
To address the issue after it
has occurred, manually regenerate the Agent Handler certificate on the ePO
server and all Remote Agent Handlers:
Press the Windows Key+R and type services.msc.
Right-click the McAfee ePolicy
Orchestrator Server service and click Stop.
Rename the SSL.CRT folder
(below) to SSL.CRT.OLD:
Default ePO path: "C:\Program Files (x86)\McAfee\ePolicy
Orchestrator\Apache2\conf\ssl.crt"
Default Agent
Handler path: "C:\Program Files (x86)\McAfee\Agent
Handler\Apache2\conf\ssl.crt"
Create a folder named SSL.CRT in the same path.
Click Start, type cmd in
the search field, right-click Command Prompt, and select Run as
administrator.
Change directories to your ePO
installation directory:
Default ePO path: "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\"
Default Agent
Handler path: "C:\Program Files (x86)\McAfee\Agent Handler\"
Run the following command:
Rundll32.exe
ahsetup.dll RunDllGenCerts
<ePO_server_name> <console_HTTPS_port> <admin_username>
<password> <"installdir\Apache2\conf\ssl.crt">
Where:
<ePO_server_name>
is your ePO server NetBIOS name or IP address
NOTE:
For Cluster ePO
setups, use the Cluster/Virtual NetBIOS name in place of 'ePO_Server_Name'
while generating the Agent Handler Certificate. Using a Node (Primary or
Secondary) NetBIOS name causes agent wake-up call to fail if the other Node (whose
NetBIOS name is not used to generate the Agent Handler Certificate) is active.
<console_HTTPS_port>
is your ePO console port (default is 8443)
<admin_username>
is admin (use the default ePO admin console
account)
<password>
is the password to the ePO admin console
account
<installdir\Apache2\conf\ssl.crt>
is your installation path to the Apache
folder
Default
installation paths:
ePO path: "C:\Program
Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf\ssl.crt"
Agent Handler
path: "C:\Program Files (x86)\McAfee\Agent
Handler\Apache2\conf\ssl.crt"
Example:
Rundll32.exe
ahsetup.dll RunDllGenCerts eposervername 8443 administrator password
"C:\Program Files\McAfee\ePolicy Orchestrator\Apache2\conf\ssl.crt"
IMPORTANT:
The referenced command fails if
you have enabled User Account Control (UAC) on this server. If the server
runs Windows Server 2008 or later, disable UAC.
This command is case sensitive.
The ahsetup.log (found in <installdir\Apache2\conf\ssl.crt>)
provides information about whether the command succeeded or failed, and states
whether it used the files located in the ssl.crt folder.
Start the McAfee ePolicy
Orchestrator Server service.
Open DB/logs/server.log and verify the Agent Handler (Apache server) started correctly. A message
similar to the following is recorded:
ePolicy
Orchestrator server started
If
the issue persists, collect the following data before you contact Technical
Support:
A MER result from the ePO server
(
PD22739)
A copy of <installdir>\Apache2\conf\ssl.crt\ahsetup.log
If you are a registered user,
type your User Id and Password, and then click Log In.
If you are not a registered user,
click Register and complete the required fields. Your password and
logon instructions will be emailed to you.