cancel
Showing results for 
Search instead for 
Did you mean: 

McAfee ePO - Encrypted credentials

Jump to solution

Good morning,

I need to know if McAfee ePO credentials are stored encrypted and with which protocol or algorithm.
I also need to know if McAfee ePO credentials are transmitted encrypted and with which protocol or algorithm.

Thanks in advance

1 Solution

Accepted Solutions
Highlighted
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 3 of 5

Re: McAfee ePO - Encrypted credentials

Jump to solution
You didn't specify which accounts you are referring to, but here goes. We store accounts for users (passwords are only stored for epo authentication method, not NT accounts), registered servers, deployment credentials, distributed repositories, and anywhere else that might use a username/password. epo 5.9 and above leverages a FIPS-validated version of RSA Crypto-J 4.0 for security-related methods such as cryptography, hashing, and digital signatures. Implementation of the cryptographic algorithms is performed by FIPS validated RSA BSafe CryptoC-ME 3.01. As of 5.3 and above, we use a hard coded obfuscation key with a key that is unique for each install. They are stored in orion.properties using the obfuscation.v2.key.registry.key and obfuscation.v2.key.registry.value property names. Db.properties file that contains the db credentials password is hashed with these algorithms, as well as any stored in the database. Any data passed, such as a repository list to clients, that password is also a hash, so no passwords are sent in plain text with data transfers. The ONLY time we send credentials in plain text is for authentication only to, for example, an ldap server that is using basic authentication and not tls. That is only for the initial authentication. So if you don't want any authentication requests sent in plain text, configure ldap and sql to use ssl authentication. I can't give you any more than that without getting into proprietary info.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

4 Replies
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: McAfee ePO - Encrypted credentials

Jump to solution
I will have to check on that, but it would only refer to epo authentication accounts. We don't store any active directory user credentials for users in epo - that is all done by ad authentication. We do store credentials for registered servers and agent push credentials, if that is enabled, so I will find out that info. It may be later on this afternoon after a call with dev.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Highlighted
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 3 of 5

Re: McAfee ePO - Encrypted credentials

Jump to solution
You didn't specify which accounts you are referring to, but here goes. We store accounts for users (passwords are only stored for epo authentication method, not NT accounts), registered servers, deployment credentials, distributed repositories, and anywhere else that might use a username/password. epo 5.9 and above leverages a FIPS-validated version of RSA Crypto-J 4.0 for security-related methods such as cryptography, hashing, and digital signatures. Implementation of the cryptographic algorithms is performed by FIPS validated RSA BSafe CryptoC-ME 3.01. As of 5.3 and above, we use a hard coded obfuscation key with a key that is unique for each install. They are stored in orion.properties using the obfuscation.v2.key.registry.key and obfuscation.v2.key.registry.value property names. Db.properties file that contains the db credentials password is hashed with these algorithms, as well as any stored in the database. Any data passed, such as a repository list to clients, that password is also a hash, so no passwords are sent in plain text with data transfers. The ONLY time we send credentials in plain text is for authentication only to, for example, an ldap server that is using basic authentication and not tls. That is only for the initial authentication. So if you don't want any authentication requests sent in plain text, configure ldap and sql to use ssl authentication. I can't give you any more than that without getting into proprietary info.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: McAfee ePO - Encrypted credentials

Jump to solution

Hello,

Thanks for your answers!

I'm refer to authentication type "ePO authentication".

Thanks you so much
Regards.

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 5 of 5

Re: McAfee ePO - Encrypted credentials

Jump to solution
Glad to assist!

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

More McAfee Tools to Help You

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community