cancel
Showing results for 
Search instead for 
Did you mean: 

Re: Epo 5.9 PIA, RSA compatibility failed

look inside DB Properties  in "Program Files (x86)\McAfee\ePolicy Orchestrator\Server\conf\orion\db.properties for  db.param.ssl=xxxx   we don't use SSL and our is set to "off"

also make sure the tools.jar is present..  another thing I can suggest do new setup and transfer assets between 2 epo servers.. I had to do that after wasting week with support and no resolution.... see me other thread for the link to mcafee KB on how to transfer assets between epo servers.

davei
Level 9
Report Inappropriate Content
Message 12 of 24

Re: Epo 5.9 PIA, RSA compatibility failed

Thanks for the reply.

re: dp.properties, unfortunately mine also says db.param.ssl=off in that particular file.  But when the upgrade is running, the ultimate error is that it can't connect to SQL using SSL, which we don't want it to do and haven't asked it to.

re: tools.jar, there is no path to it - ie. C:\PROGRA~2\McAfee\EPOLIC~1\lib\ doesn't exist (the \lib folder doesn't exist) so not sure if this is a remnant from a previous version and an ignorable error.

I saw your post earlier about migrating to a new server, and it is something I have done myself at least once over the years of working with ePO.  I am keen to avoid doing it if possible as our agents are distributed and many don't connect for weeks on end, so I would need to run both versions side by side to ensure the agents receive the move server command.  I would prefer to get this in-place upgrade completed successfully and keep the migration option as a backup plan.

I've opened a case with support so if I survive that without throwing myself off the top of our building I will report back....

Any other thoughts or advice please!!!

Reliable Contributor brentil
Reliable Contributor
Report Inappropriate Content
Message 13 of 24

Re: Epo 5.9 PIA, RSA compatibility failed

During my testing I had turned off SSL in ePO and was able to go through an upgrade for testing.  I had done another step too though in that I had gone to my MS-SQL server and disabled SSL there too.  If you have it enabled there the installer might be detecting it and trying to shift your installation to SSL.  So you can try disabling it on the MS-SQL server and restarting the services if it is enabled.

Also why don't you want to use SSL between the systems?  There's a lot of organizational sensitive data being stored and shifted back and forth between the two systems, it's definitely better to have it encrypted.

davei
Level 9
Report Inappropriate Content
Message 14 of 24

Re: Epo 5.9 PIA, RSA compatibility failed

Thanks brentil.  How exactly did you disable SSL on the MSSQL server?

I'm very happy to use SSL between ePO and SQL, but as the MSSQL server hosts other databases too, to implement that would mean dealing with the bureaucrats and other application owners - and I think i'd rather spend an eternity on the phone to McAfee's Indian call centre than deal with the bureaucrats.... although it is a close call!

Reliable Contributor brentil
Reliable Contributor
Report Inappropriate Content
Message 15 of 24

Re: Epo 5.9 PIA, RSA compatibility failed

It's not an all or nothing when it comes to SSL, you can enable it on MS-SQL but not force it so that then you can talk in via SSL or not use SSL at the same time.

Check status of SSL in MS-SQL;

  1. Login to your MS-SQL server's OS
  2. From Start menu run "SQL Server XXXX Configuration Manager" as Administrator (XXXX = version installed)
  3. Expand "SQL Network Configuration"
  4. Right click "Protocols for YYYY" and choose Properties (YYYY = SQL instance name)
  5. Go to the Certificate tab and if a certificate is already selected in the Certificate: field and data is populated in the area below it you have SSL enabled
  6. Go to the Flags tab and as long as Force Encryption is not set to Yes then you can run SSL and non-SSL connections at the same time

If there is an SSL certificate listed but your ePO still can't talk to it correctly as you're finding then the issue could be if the SSL certificate is self-signed or Domain signed and your ePO doesn't have the Root/CA cert in its store.  You'll have to then update ePO to include a Root/CA for it to authenticate against.

davei
Level 9
Report Inappropriate Content
Message 16 of 24

Re: Epo 5.9 PIA, RSA compatibility failed

So in SSCM I have no certificate listed, and none in the drop down box available to choose.  After investigation, the reason is that the certificate(s) on the SQL server from our internal CA don't have the AT_KEYEXCHANGE keyspec set.  Which is fine, and if I do choose to go down the SQL SSL route I will issue some new certs that meet the requirements, and enjoy some encrypted SQL transport fun!

But right now - my SQL server does not do SSL, it has no certs that even meet the requirements for SQL SSL, current ePO does not use SSL (obviously), I don't want new ePO to use SSL, so why is it trying to use SSL and not falling back to non-SSL?

That is the question anyway.  I have a support case open now, will report back with an update when there is one.

Thanks all for input so far.

Re: Epo 5.9 PIA, RSA compatibility failed

we had same issue.. 2008 R2 servers running all compatible software yet the tool was saying we are missing RSA support because it was checking for 2012 Server KB patch..

McAfee couldn't figure out what was going on. i ended up installing blank 5.9 and trasferring assets to new EPO (see link below)

Highlighted
nov1ce
Level 8
Report Inappropriate Content
Message 18 of 24

Re: Epo 5.9 PIA, RSA compatibility failed

Well, according to the support:

You may ignore the RSA compatibility check failure when running the ePO Pre-Install Auditor tool. the upgrade will be successful without SSL connection to SQL server.

which doesn't make sense, because I DO use SSL connection.

Anyway, I was about to start the upgrade (with tons of backups, clones and snapshots), but got stuck with some not supported extensions (such as MOVE AV 3.6.x and etc).

Reliable Contributor Nielsb
Reliable Contributor
Report Inappropriate Content
Message 19 of 24

Re: Epo 5.9 PIA, RSA compatibility failed

MOVE 4.5.1 is available since this week and is compatible with ePO 5.9

Reliable Contributor brentil
Reliable Contributor
Report Inappropriate Content
Message 20 of 24

Re: Epo 5.9 PIA, RSA compatibility failed

So while rooting around in my Grant area I noticed there was a newer version of the PIA tool.  PIA 2.0.0.320 which was released April 26th compared to PIA 2.0.0.310 which is what was released when ePO 5.9 was released.  When I run it now I no longer get the error related to SQL Server system RSA compatibility.  As several of us had stated before this was just an issue in the PIA tool and not the ePO 5.9 installer so it looks like they resolved it there too.

More McAfee Tools to Help You

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community