cancel
Showing results for 
Search instead for 
Did you mean: 

Epo 5.9 PIA, RSA compatibility failed

Hi,

I'm planning to upgrade Epo to 5.9 version. I ran pre install auditor version 2.0.0.310.

RSA compatibility fails everytime. Sql server is 2008 R2 with sp1, running in windows server 2008 R2. All the windows updates are installed to the server, also the KB3042058 which is mentioned in the KB87731 document.

How to fix this problem? Am I missing something?

Sql server has personal certificate RSA 2048.

23 Replies

Re: Epo 5.9 PIA, RSA compatibility failed

In Epo 5.3 I'm not using ssl connection with certificate, can I just ignore the error and continue with upgrade? Or does the 5.9 version require ssl with certificate?

This setting I have in use.

Reliable Contributor brentil
Reliable Contributor
Report Inappropriate Content
Message 3 of 24

Re: Epo 5.9 PIA, RSA compatibility failed

I get the same error even though I also have RSA 2048 bit certificates.  During the beta I had resolved this issue by manipulating the SCHANNEL crypto providers but then when the RTM PIA came out this error returned.  I haven't been able to continue the upgrade though due to other blocking issues.

Re: Epo 5.9 PIA, RSA compatibility failed

Same problem here, running SQL 2014 and Server 2012 R2. I ran the upgrade in a test environment and it worked anyway.

zapnet
Level 7
Report Inappropriate Content
Message 5 of 24

Re: Epo 5.9 PIA, RSA compatibility failed

Same problem here, any Solutions ?

Running SQL 2012 and Server 2012 R2 with all Windows updates.

Highlighted
nov1ce
Level 8
Report Inappropriate Content
Message 6 of 24

Re: Epo 5.9 PIA, RSA compatibility failed

Same issue here.

Tried with two MS SQL servers, but can't pass it:

1. MS SQL 2012 x64 SP3 CU8 running on Windows 2012 x64 with all updates installed (including required KB3042058), and the following SSL certificate deployed:

Signature algorithm: sha256RSA

Signature hash algorithm: sha256

Key size: RSA 2048 bits

2. MS SQL 2014 x64 SP2 CU5 running on Windows 2012 R2 x64 with all updates installed (including required KB3042058), and the following SSL certificate deployed:

Signature algorithm: sha1RSA

Signature hash algorithm: sha1

Key size: RSA 2048 bits

Anyone here who successfully passed this check? What exactly is it checking for: particular SSL cipher suite order or is it related to the strength/algorithm of the SSL certificate/key?

Reliable Contributor brentil
Reliable Contributor
Report Inappropriate Content
Message 7 of 24

Re: Epo 5.9 PIA, RSA compatibility failed

Are you all using self signed certificates for the MS-SQL server?  I've done a bunch of messing around with SHA & RSA levels and SSL cipher suites to match what's supposed to be set but I also get the same error.  The only thing I can think of is I'm using domain signed certificates which are fully valid inside my domain but maybe the PIA doesn't trust them?

Honestly though just move on past this step and run the installer, see if it can talk to your DB and prepare to install.  The PIA complains about it but the installer doesn't care and will actually install is what I found in my experience.  If it couldn't actually correctly talk to the DB then all of the DB driven portions will fail which is not what I experienced.  Just always make sure you have good backups.

nov1ce
Level 8
Report Inappropriate Content
Message 8 of 24

Re: Epo 5.9 PIA, RSA compatibility failed

Indeed, all my certificates are self-signed. As long as you place those into Trusted Root Certification Authorities on the server where you execute PIA, whether the certificate is self-signed or from a proper CA becomes irrelevant -- it should be trusted. Now, whether PIA takes this into account while performing the check is the million-dollar question.

I suspect that it has something to do with the particular (most probably strengthen) SSL cipher suite order, because this is what KB3042058 introduces (if you look at the KB you can achieve the same with the GPO), however I can't get anything meaningful from the support.

Unfortunately, I don't have ePO in the lab, hence I'm a bit reluctant to proceed with the installation in production, since you can end up with the successful installation but no SQL communication between ePO and SQL instances.

Are you saying that your upgrade worked (despite the RSA compatibility failure)?

davei
Level 9
Report Inappropriate Content
Message 9 of 24

Re: Epo 5.9 PIA, RSA compatibility failed

Hi

Sorry to revive this but I'm having the same issue and wondered if anybody found a workaround?

Remote SQL 2008 R2 SP1 (Enterprise) on Windows 2008 R2 SP1.

No SSL configured on SQL (in SQL Config Mgr, under protocols, I have no certificate selected).  I don't want SSL configured as the SQL instance hosts other databases for other apps.

ePO 5.3.2 told to never use SSL in /core/config

PIA passes except for the BSAFE test - the RSA compatibility check passes.

All security updates installed via WSUS.

I've obviously looked at McAfee KB87731 as the PIA recommends, which states the solution is to install MS KB3042058 to the SQL Server.  (This update is May 2015!)  When I try to install it, I get told "This update is not applicable to your computer".

The SQL server has it's own Computer Certificate auto-enrolled from our internal CA, which hasn't been configured anywhere within SQL Server, but I mention because it is a SHA256 cert with a 2048-bit public key - ie. should meet ePO criteria I believe.

ePIPAPI.log shows the error at CheckifWindowsIsPatchedforRSA, and states "SQL Server is not patched with KB2919355" and gives a result of 4.  KB2919355 only applies to Win2012R2 and my SQL Server OS is 2008R2.

Tried to completed the install repeatedly (takes 1hr+) but always errors out saying an equivalent of "Unable to contact the SQL server over SSL".  I don't want it to, and haven't asked it to!

Any progress from anybody?

Thanks.

davei
Level 9
Report Inappropriate Content
Message 10 of 24

Re: Epo 5.9 PIA, RSA compatibility failed

I have found more information, following log files through I ended up at \AppData\Local\Temp\McAfeeLogs\EPO590-Troubleshoot\MFS\core-upgrade.log which has the following error:

test-db:

BUILD FAILED
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Installer\core\build.xml:1923: The following error occurred while executing this line:
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Installer\core\build.xml:1940: The following error occurred while executing this line:
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Installer\core\build.xml:1678: com.mcafee.orion.core.db.base.DatabaseConnectivityException: Failed to get a connection: Network error IOException: Error creating premaster secret. . Navigate to /core/config and verify database connection settings

When I browse to /core/config I see everything looking as expected, SSL set to "Never use SSL", and when I hit the "Test Connection" button the test is successful.

In \AppData\Local\Temp\McAfeeLogs\EPO590-Troubleshoot\MFS\core-upgrade.log.stdout I see this, not sure if it's relevant:

Debug: using RUN_HOME=C:\PROGRA~2\McAfee\EPOLIC~1\Installer\Core\

Debug: using TEST_JAVA_HOME=C:\PROGRA~2\McAfee\EPOLIC~1\Installer\Core\\..\jre\windows\jre

Debug: using JAVA_HOME=C:/PROGRA~2/McAfee/EPOLIC~1/JRE

Unable to locate tools.jar. Expected to find it in C:\PROGRA~2\McAfee\EPOLIC~1\lib\tools.jar

Buildfile: C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Installer\core\build.xml

And in \AppData\Local\Temp\McAfeeLogs\EPO590-Troubleshoot\MFS\install.properties I see the following:

# ------ db conf settings ---------

#server's db settings...

orion.db.server.name   = <sql_server_name>

orion.db.database.name = <epo_db_name>

orion.db.instance.name =

orion.db.port          = 1433

orion.db.user.name     = <correct_user>

orion.db.user.domain   = <correct_domain>

orion.db.user.passwd   =

orion.db.param.ssl     = request

orion.db.jdbc.driver   = jtds

orion.db.param.USENTLMV2=true

It seems to me the SSL parameter should not be set to Request, it should be set to Never or the correct equivalent.

This may of course all be irrelevant, any ideas or do I need to contact support?............

Thanks.

More McAfee Tools to Help You

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community