ePolicy Orchestrator cannot make outbound connections to SQL, LDAP, or other servers where TLS 1.0 is disabled

ePolicy Orchestrator cannot make outbound connections to SQL, LDAP, or other servers where TLS 1.0 is disabled

Environment

McAfee ePolicy Orchestrator (ePO) 5.10

Summary

Starting with ePO 5.10, the protocol Transport Layer Security (TLS) 1.0 is disabled by default. Any outbound connections from ePO to another external system must support TLS 1.1 or higher.

Examples of such outbound connections include, but are not limited, to:
  • Encrypted SQL connections
  • Registered LDAP Servers
  • Syslog servers
  • Any other registered server where the server connection might use TLS

Problem

An upgrade to ePO 5.10 fails with the following error:
 
An attempt to establish a test connection to the SQL Server ‘Your SQL Server’ failed. The SQL Server used by McAfee ePO must support a secure communication with TLS 1.1 or 1.2.

Problem

A test connection on a registered server that uses TLS fails after upgrading to ePO 5.10. 

Solution

Enable TLS 1.1, or higher, support on the server on the other end of the TLS handshake from ePO.

For Microsoft SQL instructions, see:
NOTE: The above link applies only to a SQL Server, and is offered as the most common example of this issue. This issue can occur in any registered server that uses TLS. For example, a registered LDAP server.

Workaround

If changing the configuration on the other server is not possible, you can upgrade to ePO 5.10 with TLS 1.0 enabled as a temporary workaround.

CAUTION: McAfee strongly discourages enabling TLS 1.0 in ePO 5.10, because doing so reduces the security posture of your ePO server. These instructions are intended for use only as a last resort, and only temporarily until other servers in the environment are upgraded to a version that can consume a TLS 1.1 or 1.2 connection.

Start the ePO 5.10 install or upgrade with the DISABLETLSV1=0 switch. The command line is as follows:
 
\Setup.exe DISABLETLSV1=0

NOTE: The system property -Djavax.jdk.tls.client.protocols="TLSv1, TLSv1.1, TLSv1.2" enables TLSv1 ePO SQL Server, Registered Servers for SQL Server, MySQL, PostgreSQL, and LDAP servers, and is appended to:
  • The installer
  • Java Options in the Windows Registry

Workaround

If you have already installed or upgraded to ePO 5.10 and you need to enable TLS 1.0:

CAUTION: McAfee strongly discourages enabling TLS 1.0 in ePO 5.10, because doing so reduces the security posture of your ePO server. These instructions are intended for use only as a last resort, and only temporarily until other servers in the environment are upgraded to a version that can consume a TLS 1.1 or 1.2 connection.
  1. Open the Windows registry.
  2. Navigate to: HKLM\SOFTWARE\Wow6432Node\Apache Software Foundation\Procrun 2.0\MCAFEETOMCATSRVXXX\Parameters\Java
  3. Edit the REG_MULTI_SZ key named Options.
  4. Add this value in a new line in the Options key:
-Djavax.jdk.tls.client.protocols="TLSv1, TLSv1.1, TLSv1.2"
  1. ​Restart the ePO services. 
To reverse the changes, repeat the previous steps, and remove the line you added in step 4.