I'm planning to upgrade Epo to 5.9 version. I ran pre install auditor version 220.127.116.110.
RSA compatibility fails everytime. Sql server is 2008 R2 with sp1, running in windows server 2008 R2. All the windows updates are installed to the server, also the KB3042058 which is mentioned in the KB87731 document.
How to fix this problem? Am I missing something?
Sql server has personal certificate RSA 2048.
In Epo 5.3 I'm not using ssl connection with certificate, can I just ignore the error and continue with upgrade? Or does the 5.9 version require ssl with certificate?
This setting I have in use.
I get the same error even though I also have RSA 2048 bit certificates. During the beta I had resolved this issue by manipulating the SCHANNEL crypto providers but then when the RTM PIA came out this error returned. I haven't been able to continue the upgrade though due to other blocking issues.
Same issue here.
Tried with two MS SQL servers, but can't pass it:
1. MS SQL 2012 x64 SP3 CU8 running on Windows 2012 x64 with all updates installed (including required KB3042058), and the following SSL certificate deployed:
Signature algorithm: sha256RSA
Signature hash algorithm: sha256
Key size: RSA 2048 bits
2. MS SQL 2014 x64 SP2 CU5 running on Windows 2012 R2 x64 with all updates installed (including required KB3042058), and the following SSL certificate deployed:
Signature algorithm: sha1RSA
Signature hash algorithm: sha1
Key size: RSA 2048 bits
Anyone here who successfully passed this check? What exactly is it checking for: particular SSL cipher suite order or is it related to the strength/algorithm of the SSL certificate/key?
Are you all using self signed certificates for the MS-SQL server? I've done a bunch of messing around with SHA & RSA levels and SSL cipher suites to match what's supposed to be set but I also get the same error. The only thing I can think of is I'm using domain signed certificates which are fully valid inside my domain but maybe the PIA doesn't trust them?
Honestly though just move on past this step and run the installer, see if it can talk to your DB and prepare to install. The PIA complains about it but the installer doesn't care and will actually install is what I found in my experience. If it couldn't actually correctly talk to the DB then all of the DB driven portions will fail which is not what I experienced. Just always make sure you have good backups.
Indeed, all my certificates are self-signed. As long as you place those into Trusted Root Certification Authorities on the server where you execute PIA, whether the certificate is self-signed or from a proper CA becomes irrelevant -- it should be trusted. Now, whether PIA takes this into account while performing the check is the million-dollar question.
I suspect that it has something to do with the particular (most probably strengthen) SSL cipher suite order, because this is what KB3042058 introduces (if you look at the KB you can achieve the same with the GPO), however I can't get anything meaningful from the support.
Unfortunately, I don't have ePO in the lab, hence I'm a bit reluctant to proceed with the installation in production, since you can end up with the successful installation but no SQL communication between ePO and SQL instances.
Are you saying that your upgrade worked (despite the RSA compatibility failure)?
Sorry to revive this but I'm having the same issue and wondered if anybody found a workaround?
Remote SQL 2008 R2 SP1 (Enterprise) on Windows 2008 R2 SP1.
No SSL configured on SQL (in SQL Config Mgr, under protocols, I have no certificate selected). I don't want SSL configured as the SQL instance hosts other databases for other apps.
ePO 5.3.2 told to never use SSL in /core/config
PIA passes except for the BSAFE test - the RSA compatibility check passes.
All security updates installed via WSUS.
I've obviously looked at McAfee KB87731 as the PIA recommends, which states the solution is to install MS KB3042058 to the SQL Server. (This update is May 2015!) When I try to install it, I get told "This update is not applicable to your computer".
The SQL server has it's own Computer Certificate auto-enrolled from our internal CA, which hasn't been configured anywhere within SQL Server, but I mention because it is a SHA256 cert with a 2048-bit public key - ie. should meet ePO criteria I believe.
ePIPAPI.log shows the error at CheckifWindowsIsPatchedforRSA, and states "SQL Server is not patched with KB2919355" and gives a result of 4. KB2919355 only applies to Win2012R2 and my SQL Server OS is 2008R2.
Tried to completed the install repeatedly (takes 1hr+) but always errors out saying an equivalent of "Unable to contact the SQL server over SSL". I don't want it to, and haven't asked it to!
Any progress from anybody?
I have found more information, following log files through I ended up at \AppData\Local\Temp\McAfeeLogs\EPO590-Troubleshoot\MFS\core-upgrade.log which has the following error:
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Installer\core\build.xml:1923: The following error occurred while executing this line:
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Installer\core\build.xml:1940: The following error occurred while executing this line:
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Installer\core\build.xml:1678: com.mcafee.orion.core.db.base.DatabaseConnectivityException: Failed to get a connection: Network error IOException: Error creating premaster secret. . Navigate to /core/config and verify database connection settings
When I browse to /core/config I see everything looking as expected, SSL set to "Never use SSL", and when I hit the "Test Connection" button the test is successful.
In \AppData\Local\Temp\McAfeeLogs\EPO590-Troubleshoot\MFS\core-upgrade.log.stdout I see this, not sure if it's relevant:
Debug: using RUN_HOME=C:\PROGRA~2\McAfee\EPOLIC~1\Installer\Core\
Debug: using TEST_JAVA_HOME=C:\PROGRA~2\McAfee\EPOLIC~1\Installer\Core\\..\jre\windows\jre
Debug: using JAVA_HOME=C:/PROGRA~2/McAfee/EPOLIC~1/JRE
Unable to locate tools.jar. Expected to find it in C:\PROGRA~2\McAfee\EPOLIC~1\lib\tools.jar
Buildfile: C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Installer\core\build.xml
And in \AppData\Local\Temp\McAfeeLogs\EPO590-Troubleshoot\MFS\install.properties I see the following:
# ------ db conf settings ---------
#server's db settings...
orion.db.server.name = <sql_server_name>
orion.db.database.name = <epo_db_name>
orion.db.port = 1433
orion.db.user.name = <correct_user>
orion.db.user.domain = <correct_domain>
orion.db.param.ssl = request
orion.db.jdbc.driver = jtds
It seems to me the SSL parameter should not be set to Request, it should be set to Never or the correct equivalent.
This may of course all be irrelevant, any ideas or do I need to contact support?............
Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center