cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
dcaffrey
Level 10
Report Inappropriate Content
Message 1 of 10

epo 5.10 Update 11 can't connect to Database

Jump to solution

Currently running ePO 5.10 Update 10 - No Issues

After applying Update 11 I get an error connecting to the database - Test Connection shows this 

Test failed: Network error IOException: insufficient_security(71)

I've run IISCrypto on both ePO and SQL servers and they seem ok 

Any help much appreciated

1 Solution

Accepted Solutions
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 10

Re: epo 5.10 Update 11 can't connect to Database

Jump to solution

Check also KB91519 - there is a section in there for specific requirements for update 11.  If you did open a ticket, please send me the case number in private chat.

For ePO 5.10 CU 11 and later:
For outbound connections to the SQL Server, Tomcat supports the following cipher suites:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA


So, on the SQL Server hosting the ePO database, at least one of these suites must be enabled in the SChannel Settings, which includes installations where SQL is on the same computer as ePO.

For inbound connections from the ePO Server service and ePO Agent Handler service, Tomcat supports the four cipher suites listed below: 

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

So, on the computer where ePO is installed, and on any remote agent handlers, at least one of these cipher suites must be enabled in the SChannel Settings.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

9 Replies
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 10

Re: epo 5.10 Update 11 can't connect to Database

Jump to solution

What did you do specifically with iiscrypto?  If everything is grayed out and it looks like a lot of things are checked, that means it is using OS defaults and may not be sufficient.  Make sure you used choosing best practices in iiscrypto and reboot on both epo and sql.  If you did that, then we would need a wireshark capture, mer from epo and nmap outputs from epo and sql servers (kb91115) and open an SR so we can review the data.

Wireshark capture would need to be when you start epo services - start capture first, then start only application server service, all interfaces.  That captures the ssl handshake.

If sql is on the same server, follow kb91433 to get loopback traffic for the handshake.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 10

Re: epo 5.10 Update 11 can't connect to Database

Jump to solution

Update 11 removed some weak ciphers, so it is possible that one of the servers doesn't have the right ciphers.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

dcaffrey
Level 10
Report Inappropriate Content
Message 4 of 10

Re: epo 5.10 Update 11 can't connect to Database

Jump to solution

NMap shows these ciphers on the SQL server

TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024) - F
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024) - F
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - F
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - F
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp521r1) - F
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp521r1) - F
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp521r1) - F
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp521r1) - F
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - F
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - F
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - F
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - F
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - F
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Insecure certificate signature (SHA1), score capped at F
|_ least strength: F

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 10

Re: epo 5.10 Update 11 can't connect to Database

Jump to solution

Match them with what epo has.  Wireshark is best to know what cipher sql is responding with.  In a wireshark capture, you will see server hello - it would show the exact cipher that sql responded with.  In the client hello packet, you see the list of ciphers epo is offering up to negotiate with.  If sql doesn't have one of the ones epo offers, it can't negotiate the handshake.  

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 10

Re: epo 5.10 Update 11 can't connect to Database

Jump to solution

Check also KB91519 - there is a section in there for specific requirements for update 11.  If you did open a ticket, please send me the case number in private chat.

For ePO 5.10 CU 11 and later:
For outbound connections to the SQL Server, Tomcat supports the following cipher suites:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA


So, on the SQL Server hosting the ePO database, at least one of these suites must be enabled in the SChannel Settings, which includes installations where SQL is on the same computer as ePO.

For inbound connections from the ePO Server service and ePO Agent Handler service, Tomcat supports the four cipher suites listed below: 

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

So, on the computer where ePO is installed, and on any remote agent handlers, at least one of these cipher suites must be enabled in the SChannel Settings.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

dcaffrey
Level 10
Report Inappropriate Content
Message 7 of 10

Re: epo 5.10 Update 11 can't connect to Database

Jump to solution

I ran IISCrypto on the SQL server again applied best practices and rebooted.

I tried Update 11 again and it connected ok

This is the TLS Cipher Suite being used now

TLSCipherSuite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

This is the one used with Update 10

TLSCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 10

Re: epo 5.10 Update 11 can't connect to Database

Jump to solution

Glad it is working and glad to help!

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: epo 5.10 Update 11 can't connect to Database

Jump to solution

Hi, I have a problem after doing this procedure.

the apache service consumes all the server resources and I can't do anything, any idea how to solve this problem

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 10 of 10

Re: epo 5.10 Update 11 can't connect to Database

Jump to solution

Please open a ticket, as we will need to review logs.  Get screenshots also of what resources specifically are being consumed (memory or cpu) and showing exactly what process.

Some typical causes of this with apache (server service) is the use of a syslog server that is failing to connect, siem connected to database locking tables causing long session times, database mirroring not enabled in server settings, user policies if using any user based policies (kb84683), too frequent asci, too frequent repository requests.  For the last 2, examine what your agent-server communication interval is compared to how many clients you are managing, and how many tasks are scheduled and their frequency.  Additionally, if you have distributed repositories, how much are they being utilized instead of clients hitting epo or agent handlers all the time?

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community