cancel
Showing results for 
Search instead for 
Did you mean: 
VriendP
Level 7

Certificate store implications when upgrading to ePO 5.9

Jump to solution

Good day,

I'm attempting to perform an upgrade from ePO 5.3.2 to ePO 5.9 and have several questions.

My first blind upgrade attempt failed and led me to kb87731, that deals with a secure SQL Server connection. The article refers to kb84628, which in turn describes the steps to follow under different circumstances. I ended up enabling certificate validation for the SQL database connection and using keytool.exe to add the SQL Server certificate to the cacerts certificate store (as well as adding it to the windows certificates, etc blah blah).

Question 1: If I had a small network without a CA, it seems to me I'd need to setup a CA in order to get this working. This is simple enough, but could be an issue for many SMB customers and tempts to avoid using certs on the SQL connection. Would that still work?

I applied all the steps in forementioned kb articles. During the upgrade to ePO 5.9, installation rolls back. Checking out core-rollback.log sheds a light as to why the installation rolls back, the error is:

[downgrade-extension] java.lang.SecurityException: java.lang.SecurityException: JKS keystores cannot be loaded in FIPS-140 mode. Only PKCS12 PBES2 key stores are supported

This error isn't documented on the McAfee domain, but it points to an issue with a certificate store. I'm not sure whether or not this is referring to the cacerts certificate store impacted by the keytool.exe procedure documented in kb84628, or another certificate store. The cacerts store is a JKS store anyway, and perhaps should be a PKCS12 store. I was feeling brave and used keytool.exe to convert the cacerts keystore to PKCS12 and restarted the ePO services. Everything seems to be running just fine, but the upgrade fails with the same error as before.

Question 2: What's up with the keystore format error rollback, is this about the cacerts keystore or another keystore? Should I convert it, or is there another procedure to be followed? The error thrown in the core-rollback.log file is undocumented in the McAfee domain.

Any advice is greatly appreciated!

0 Kudos
1 Solution

Accepted Solutions
jrp78
Level 10

Re: Certificate store implications when upgrading to ePO 5.9

Jump to solution

Disabling SQL encryption made the upgrade go through. I recreated my CSR with a key length of 2048 and will try to re-enable SQL encryption shortly.

Thanks for the help!

0 Kudos
6 Replies
jrp78
Level 10

Re: Certificate store implications when upgrading to ePO 5.9

Jump to solution

VriendP,

I'm having the exact same issue right now trying to upgrade from 5.9 to 5.9.1. Did you find a solution to this problem?

 

EDIT: I'm using an InCommon cert for SQL so I didn't import any CA into cacerts because it's already there.

0 Kudos
McAfee Employee

Re: Certificate store implications when upgrading to ePO 5.9

Jump to solution

question 1 - no, you do not need to set up a CA to get this to work and SSL connection to the database is not required.  What is required is the correct order of the cipher suite.  Solution 1 in kb87731 describes how to do that. 

Are you installing it in fips mode?  If not, Only PKCS12 PBES2 key stores are supported message is possibly referring to the key strength of the cert you set up for ssl to the database.  It would not be complaining about any self signed certs.

question 2 - i would reverse what you did, as it is not necessary to use ssl connection.  Make sure the cipher suite is correct and go through KB71825 to ensure no issues as well as run the pre installation auditor tool (download site) to identify anything.  You may run into KB89940 with the tool, but as long as the cipher suite is correct, you should be fine.  If not, please call in and we can assist with the upgrade.

0 Kudos
jrp78
Level 10

Re: Certificate store implications when upgrading to ePO 5.9

Jump to solution

cdinet, thanks for your reply. I used IICrypto and set my app server and db server to "best practices" per the article. Both servers were rebooted. I don't know what installing FIPS mode even means to be honest. Below are the settings I used in conjuction with certreq.exe to generate my CSR on my DB server. I submitted this CSR to Incommon to get my cert. Is the key length a problem? Also, since the preinstall audit tool said I needed SQL encryption, that's why I set it up. Are you saying I can disable encryption for the upgrade then re-enable?

[NewRequest]
Subject="CN=servername.mycompany.com,OU=ITS,O=My Company,L=My City,S=My State,C=US"
Exportable=TRUE
KeyLength=4096
MachineKeySet=TRUE
FriendlyName="servername.mycompany.com"
KeySpec=1
KeyUsage="CERT_KEY_ENCIPHERMENT_KEY_USAGE"
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1

0 Kudos
McAfee Employee

Re: Certificate store implications when upgrading to ePO 5.9

Jump to solution

Yes, i believe your key length is the problem and you are not required to use ssl encryption to the database.  You can if you choose, but it is not required.  The tool checks for that scenario and requires the ability to use ssl, but does not require it to actually be used.  Even if the tool itself indicates that, the upgrade will not require you to.  If you want to use ssl, change your key to 2048, but if you don't care whether you use it or not, i would disable it.  At least for the upgrade, then you can work on getting it working later if desired.

jrp78
Level 10

Re: Certificate store implications when upgrading to ePO 5.9

Jump to solution

Disabling SQL encryption made the upgrade go through. I recreated my CSR with a key length of 2048 and will try to re-enable SQL encryption shortly.

Thanks for the help!

0 Kudos
McAfee Employee

Re: Certificate store implications when upgrading to ePO 5.9

Jump to solution

Ok, great that the upgrade succeeded!

0 Kudos