cancel
Showing results for 
Search instead for 
Did you mean: 

Custom SSL cert for agent-server(secure) and client-server

Jump to solution

Hi,

A recent audit has resulted in our team being asked to move away from the self signed certs used by ePO.  I can follow through KB72477 but as far as I can see this will result in the custom keys being used for only the console to application comms (access to ePO GUI) and the RSD client to server comms, as both use the same Tomcat service (as far as I can see).  With regards to the client to server comms, I am a bit unsure as to how the new keys would be communicated to the RSD agents however.
The next question would be how to customise the agent to server secure comms, which uses Apache.  As the keys used are contained within the server settings 'edit security keys', and the 'new key' option does not allow the import of a key, rather just seems to create another self-signed key, I suspect that this may be more involved, but am not sure if I am overcomplicating things.

I may be missing something obvious, but could somebody provide comment/thoughts on the above?

cheers,

1 Solution

Accepted Solutions
McAfee Employee JoeBidgood
McAfee Employee
Report Inappropriate Content
Message 3 of 8

Re: Custom SSL cert for agent-server(secure) and client-server

Jump to solution

Sorry for not seeing this one earlier...

There's no way to change the cert used for agent/server comms, I'm afraid. The keys used by ePO (and referred to in the server settings) are distinct from the SSL certs - they're the agent/server key pairs from earlier versions of ePO that are still used so that non-ssl comms are still secure. You can administer these keys via the console, but there is no similar process for the apache certificates.

Can I ask what it is you'd like to do, exactly, and the reason for wanting to avoid the self-signed certs? (Just to give me a better understanding...)

Thanks -

Joe

View solution in original post

7 Replies

Re: Custom SSL cert for agent-server(secure) and client-server

Jump to solution

Hi,

As the client to server secure comms is also used by the Agent Handlers, I am assuming that the servers that are running the Agent Handlers only have to trust the signing CA.  Or is the validity of the certificate checked at all by the agent handlers?

With regards to the agent to server secure comms, I could change the certificate used by Apache, however would this have a knock on effect with the agent communications, as I do not seem to be able to import SSL keys into the ePO server for this purpose, as mentioned above?

I think Im going to raise an SR for this also!

McAfee Employee JoeBidgood
McAfee Employee
Report Inappropriate Content
Message 3 of 8

Re: Custom SSL cert for agent-server(secure) and client-server

Jump to solution

Sorry for not seeing this one earlier...

There's no way to change the cert used for agent/server comms, I'm afraid. The keys used by ePO (and referred to in the server settings) are distinct from the SSL certs - they're the agent/server key pairs from earlier versions of ePO that are still used so that non-ssl comms are still secure. You can administer these keys via the console, but there is no similar process for the apache certificates.

Can I ask what it is you'd like to do, exactly, and the reason for wanting to avoid the self-signed certs? (Just to give me a better understanding...)

Thanks -

Joe

View solution in original post

Re: Custom SSL cert for agent-server(secure) and client-server

Jump to solution

Cheers Joe,  just got the same answer from support earlier today.  Basically, it goes like this:

Pen Tester / Auditor: "OMG we have found self signed certificates used on this port!"

Project: "... ... aaaaAAAAARRRRRGGGHHHHHHHHH"* <run around, bashing into things>

Me: "I'll have a dig around" <comes to community / support>

As it is not possible, I will simply communicate that back, and hopefully that will be the end of it.  I fear it may not be as we go down the path of needing to document how attackers can use this to their advantage, and what is in place and can be in place to mitigate those attacks.  The whole affair in my opinion is low low risk (and high level-of-work-required-for-would-be-attacker).

*dramatic re-enactment.  In reality the whole affair was quite calm.  Just reenacting what I have seen to be the norm with these things.

McAfee Employee JoeBidgood
McAfee Employee
Report Inappropriate Content
Message 5 of 8

Re: Custom SSL cert for agent-server(secure) and client-server

Jump to solution

No problem

I've asked a senior colleague for their comments - it may be that there's something I'm missing. The problem I can see is that there's no way to distribute the new cert to exsiting agents short of importing the sitelist or redeploying all the agents, both of which are painful

Regards -

Joe

Re: Custom SSL cert for agent-server(secure) and client-server

Jump to solution

Darn your helpfulness Joe, Darn it!

I didnt think it would be possible even with the redistribution of the sitelist or redeploying the agents, as I had no way of importing the keys into ePO security keys for the redistribution.  Unless *if* the certs were amended, the sitelist and security keys were updated automatically (I am sure this is more simple than my brain is making out).  I will stick with the official support answer for now (not possible), but if you do happen to come across a feasible and supported path for this, let me know - My curiosity is piqued, and if indeed it is a possibility I need to present it to the project, no matter how much work is involved.  Then it can be somebody elses decision on whether to proceed or not 😄

McAfee Employee JoeBidgood
McAfee Employee
Report Inappropriate Content
Message 7 of 8

Re: Custom SSL cert for agent-server(secure) and client-server

Jump to solution

It's the import of the cert (not key )  that's the tricky part. We know that ePO can *recreate* the apache cert: it's something that we do very regularly to repair broken installations that have to be recovered after a disaster - but then you're left with redeploying the agents.

What we don't have a mechanism for is importing a different cert (as opposed to calling ePO's internal function to create a new one.)

At this point I would definitely go with "not possible", but if I don find out anything useful I'll let you know.

Regards -

Joe

Re: Custom SSL cert for agent-server(secure) and client-server

Jump to solution

Yes, quite right - typing a large number of emails can result in my words getting mixed up.  Im usually quite pedantic about that, and am also usually the one to correct (it avoids confusion later down the line) - tables have turned this time!

More McAfee Tools to Help You

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community