cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
DDPCT
Level 8
Report Inappropriate Content
Message 1 of 3

ePO DXL Client SSL error after regenerating TIE CAs

Jump to solution

Hi all,

 

Before I go open a support case I was wondering if anyone here with DXL knowledge can help.

There are 2 x ePO server environments.  Environment A (is old ePO) and environment B (is new ePO).

Historically the TIE/DXL appliance was connected to the environment A server but we are getting rid of that environment in the future and decided to do the following:

- Migrate TIE/DXL server from env A to env B (using the reconfig-ma command to point it to the new ePO server)

  • Built an additional DXL Broker (using Windows broker installation package) on old ePO environment (env A)
  • Create outgoing DXL bridge on old ePO (env A)
  • Create incoming DXL bridge on new ePO (env B)
  • Bridge DXL fabrics between the two ePO servers so that clients on env A ePO can check TIE reputation with a shared TIE server between the two environments.

All is well with Env B ePO - TIE/DXL shows connected and I can see the bridge in the DXL topology pages and it displays green in DXL Topology page (connected).  We had issues viewing TIE reputations in env B ePO but this was fixed by regenerating the TIE CAs as per https://kc.mcafee.com/corporate/index?page=content&id=KB87743

I've also had to run the commands as per https://kc.mcafee.com/corporate/index?page=content&id=KB86943 on the TIE server to get it working with env B ePO so that both ePO servers are authorised to connect to the TIE reputation database.  In addition we had to run the reconfig-ca and reconfig-cert commands on the TIE server.  I also registered both ePO servers with one another and ran the TIE Synchronize CA server tasks on both ePO servers.

 

As an interim I've set clients on the env A ePO to use the env B brigded DXL hub as their primary source and those clients on env A ePO are connected to env B DXL fabric and seeing TIE reputations successfully.  I can verify this by checking the ATP modules on env A ePO clients and they are indicating TIE Connectivity (not GTI) and shows the DXL Broker running on the TIE server as the connected DXL broker for those clients.

The issue is that the env A ePO DXL client is not connecting to the newly provisioned DXL broker because of an SSL error.  It's only affecting the env A ePO server's ability to check DXL status and TIE reputations because it cannot determine the presence of a TIE server on the DXL fabric due to the ePO DXL client not connecting.  

Here is the orion.log extract from Env A ePO server:

 

 

Caused by: com.mcafee.dxl.client.exception.NotConnectedException: ePO DXL Client not connected to DXL fabric
               at com.mcafee.dxl.client.ext.api.command.AbstractAgentCommand.invoke(AbstractAgentCommand.java:218)
               at com.mcafee.orion.core.cmd.CommandInvoker.invoke(CommandInvoker.java:1274)
               ... 11 more
2020-12-03 05:54:47,225 ERROR [scheduler-InternalTask-thread-2] client.DxlClient  - Failed to connect to broker: {365e0172-3486-11eb-1628-0050568f0027} (ssl://ENVAEPOSERVER:8883): MqttException
2020-12-03 05:54:47,225 ERROR [scheduler-InternalTask-thread-2] client.DxlClient  - Retrying connect in 72399 ms: MqttException (0) - javax.net.ssl.SSLException: Certificate not verified.: MqttException: Certificate not verified.: Certificate not verified.: the certificate chain is not trusted, Certificate verify failed!
2020-12-03 05:55:00,694 ERROR [TieTopicsRegistrationThread-1] service.TieManagementRegistrationService  - Dxl client is not connected to the fabric
2020-12-03 05:55:00,694 ERROR [TieTopicsRegistrationThread-1] service.TieManagementRegistrationService  - Dxl client is not connected to the fabric
2020-12-03 05:55:00,694 ERROR [TieTopicsRegistrationThread-1] signing.TieEventTopicRegister  - Dxl client is not connected when subscribing
2020-12-03 05:55:00,694 ERROR [TieTopicsRegistrationThread-1] signing.TieEventTopicRegister  - Dxl client is not connected when subscribing
2020-12-03 05:55:00,694 ERROR [TieTopicsRegistrationThread-1] signing.TieEventTopicRegister  - Dxl client is not connected when subscribing
2020-12-03 05:55:00,694 ERROR [TieTopicsRegistrationThread-1] signing.TieEventTopicRegister  - Dxl client is not connected when subscribing
2020-12-03 05:55:00,694 ERROR [TieTopicsRegistrationThread-1] signing.TieEventTopicRegister  - Dxl client is not connected when subscribing
2020-12-03 05:55:59,647 ERROR [scheduler-InternalTask-thread-2] client.DxlClient  - Failed to connect to broker: {365e0172-3486-11eb-1628-0050568f0027} (ssl://ENVAEPOSERVER:8883): MqttException
2020-12-03 05:55:59,647 ERROR [scheduler-InternalTask-thread-2] client.DxlClient  - Retrying connect in 61585 ms: MqttException (0) - javax.net.ssl.SSLException: Certificate not verified.: MqttException: Certificate not verified.: Certificate not verified.: the certificate chain is not trusted, Certificate verify failed!
2020-12-03 05:56:00,694 ERROR [TieTopicsRegistrationThread-1] service.TieManagementRegistrationService  - Dxl client is not connected to the fabric
2020-12-03 05:56:00,694 ERROR [TieTopicsRegistrationThread-1] service.TieManagementRegistrationService  - Dxl client is not connected to the fabric

 

 

 And DXL broker log on env A ePO server showing that the ePO client is not connecting due to SSL error:

DXL broker.PNG

 

Any ideas on how I can get the ePO DXL client to connect to the broker running on the same server? (env A ePO DXL broker)?

 

Regards,

Daniel

1 Solution

Accepted Solutions
dfirstbr
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: ePO DXL Client SSL error after regenerating TIE CAs

Jump to solution

Hi Daniel

Try running ...

https://eposerver/remote/DxlBrokerMgmt.createEPOClientCert?forceRegen=true

If that doesn't work then go ahead and raise a Service Request and we can troubleshoot further.

-dene

 

View solution in original post

2 Replies
dfirstbr
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: ePO DXL Client SSL error after regenerating TIE CAs

Jump to solution

Hi Daniel

Try running ...

https://eposerver/remote/DxlBrokerMgmt.createEPOClientCert?forceRegen=true

If that doesn't work then go ahead and raise a Service Request and we can troubleshoot further.

-dene

 

View solution in original post

DDPCT
Level 8
Report Inappropriate Content
Message 3 of 3

Re: ePO DXL Client SSL error after regenerating TIE CAs

Jump to solution

Hi Dene,

That fixed it right up!  Many thanks.  Any chance you guys can add this as a KB article for future reference to help other peers?

Regards,

Daniel

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community