Hi all,

Before I go open a support case I was wondering if anyone here with DXL knowledge can help.

There are 2 x ePO server environments.  Environment A (is old ePO) and environment B (is new ePO).

Historically the TIE/DXL appliance was connected to the environment A server but we are getting rid of that environment in the future and decided to do the following:

- Migrate TIE/DXL server from env A to env B (using the reconfig-ma command to point it to the new ePO server)

• Built an additional DXL Broker (using Windows broker installation package) on old ePO environment (env A)
• Create outgoing DXL bridge on old ePO (env A)
• Create incoming DXL bridge on new ePO (env B)
• Bridge DXL fabrics between the two ePO servers so that clients on env A ePO can check TIE reputation with a shared TIE server between the two environments.

All is well with Env B ePO - TIE/DXL shows connected and I can see the bridge in the DXL topology pages and it displays green in DXL Topology page (connected).  We had issues viewing TIE reputations in env B ePO but this was fixed by regenerating the TIE CAs as per https://kc.mcafee.com/corporate/index?page=content&id=KB87743

I've also had to run the commands as per https://kc.mcafee.com/corporate/index?page=content&id=KB86943 on the TIE server to get it working with env B ePO so that both ePO servers are authorised to connect to the TIE reputation database.  In addition we had to run the reconfig-ca and reconfig-cert commands on the TIE server.  I also registered both ePO servers with one another and ran the TIE Synchronize CA server tasks on both ePO servers.

As an interim I've set clients on the env A ePO to use the env B brigded DXL hub as their primary source and those clients on env A ePO are connected to env B DXL fabric and seeing TIE reputations successfully.  I can verify this by checking the ATP modules on env A ePO clients and they are indicating TIE Connectivity (not GTI) and shows the DXL Broker running on the TIE server as the connected DXL broker for those clients.

The issue is that the env A ePO DXL client is not connecting to the newly provisioned DXL broker because of an SSL error.  It's only affecting the env A ePO server's ability to check DXL status and TIE reputations because it cannot determine the presence of a TIE server on the DXL fabric due to the ePO DXL client not connecting.  

Here is the orion.log extract from Env A ePO server:

Caused by: com.mcafee.dxl.client.exception.NotConnectedException: ePO DXL Client not connected to DXL fabric
               at com.mcafee.dxl.client.ext.api.command.AbstractAgentCommand.invoke(AbstractAgentCommand.java:218)
               at com.mcafee.orion.core.cmd.CommandInvoker.invoke(CommandInvoker.java:1274)
               ... 11 more
2020-12-03 05:54:47,225 ERROR [scheduler-InternalTask-thread-2] client.DxlClient  - Failed to connect to broker: {365e0172-3486-11eb-1628-0050568f0027} (ssl://ENVAEPOSERVER:8883): MqttException
2020-12-03 05:54:47,225 ERROR [scheduler-InternalTask-thread-2] client.DxlClient  - Retrying connect in 72399 ms: MqttException (0) - javax.net.ssl.SSLException: Certificate not verified.: MqttException: Certificate not verified.: Certificate not verified.: the certificate chain is not trusted, Certificate verify failed!
2020-12-03 05:55:00,694 ERROR [TieTopicsRegistrationThread-1] service.TieManagementRegistrationService  - Dxl client is not connected to the fabric
2020-12-03 05:55:00,694 ERROR [TieTopicsRegistrationThread-1] service.TieManagementRegistrationService  - Dxl client is not connected to the fabric
2020-12-03 05:55:00,694 ERROR [TieTopicsRegistrationThread-1] signing.TieEventTopicRegister  - Dxl client is not connected when subscribing
2020-12-03 05:55:00,694 ERROR [TieTopicsRegistrationThread-1] signing.TieEventTopicRegister  - Dxl client is not connected when subscribing
2020-12-03 05:55:00,694 ERROR [TieTopicsRegistrationThread-1] signing.TieEventTopicRegister  - Dxl client is not connected when subscribing
2020-12-03 05:55:00,694 ERROR [TieTopicsRegistrationThread-1] signing.TieEventTopicRegister  - Dxl client is not connected when subscribing
2020-12-03 05:55:00,694 ERROR [TieTopicsRegistrationThread-1] signing.TieEventTopicRegister  - Dxl client is not connected when subscribing
2020-12-03 05:55:59,647 ERROR [scheduler-InternalTask-thread-2] client.DxlClient  - Failed to connect to broker: {365e0172-3486-11eb-1628-0050568f0027} (ssl://ENVAEPOSERVER:8883): MqttException
2020-12-03 05:55:59,647 ERROR [scheduler-InternalTask-thread-2] client.DxlClient  - Retrying connect in 61585 ms: MqttException (0) - javax.net.ssl.SSLException: Certificate not verified.: MqttException: Certificate not verified.: Certificate not verified.: the certificate chain is not trusted, Certificate verify failed!
2020-12-03 05:56:00,694 ERROR [TieTopicsRegistrationThread-1] service.TieManagementRegistrationService  - Dxl client is not connected to the fabric
2020-12-03 05:56:00,694 ERROR [TieTopicsRegistrationThread-1] service.TieManagementRegistrationService  - Dxl client is not connected to the fabric

 And DXL broker log on env A ePO server showing that the ePO client is not connecting due to SSL error:

Any ideas on how I can get the ePO DXL client to connect to the broker running on the same server? (env A ePO DXL broker)?

Regards,

Daniel