cancel
Showing results for 
Search instead for 
Did you mean: 

Remanaging Agents by Importing Master Key after Losing ePolicy

Hello all, bit of a worst case scenario here.

Following some poor patching, ePolicy was not able to connect to our database. A colleague reverted to a backup of our application server, but we did not have a backup of our database. After speaking with McAfee, we've been told the restored version of our application server will not able to connect to our database, so we have had to start from scratch.

However, I've noticed that we have a backup of the keystore from before the bad patching. Now, what I was thinking is that we could extract the master key from the old keystore, import it into our new ePolicy, and that way be able to manage our agents again (which are not talking to the new server, as it's generated a different master key).

What I was wondering is if anyone knows the implications of doing this. Obviously it's quite an all-or-nothing approach, presumably as soon as we import the old key our new ePo server (same hostname, same IP) will be able to communicate with all the old agents and start managing them. However, I'm not sure how this will happen exactly. Will all the old agents be added as systems under My Organisation on the next agent-server communication? Will I need to create systems in the tree but not have to deploy agents? Am I talking complete rubbish? Thanks in advice for any advice. The product is fairly new to me.

6 Replies
exbrit
Level 21
Report Inappropriate Content
Message 2 of 7

Re: Remanaging Agents by Importing Master Key after Losing ePolicy

Moved from Community Help to Business > ePO for better support.

----

Peter

Moderator

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 7

Re: Remanaging Agents by Importing Master Key after Losing ePolicy

I hate to be the bearer of bad tidings, but I'm afraid this won't work. Without the original DB and keystore, the certificate chain is broken, which means the clients won't get past the first step of talking to ePO via SSL.

Unfortunately probably the quickest and most reliable approach here will be to redeploy the agent from the new server.

Sorry

Joe

Re: Remanaging Agents by Importing Master Key after Losing ePolicy

Will all the old agents be added as systems under My Organization on the next agent-server communication? - Yes but they will be landed into L&F group.

Will I need to create systems in the tree but not have to deploy agents?

Better Export the system from system tree from old ePO server if available and import into new ePO server. So once system communicates to ePO console they will be report into right group.

Re: Remanaging Agents by Importing Master Key after Losing ePolicy

Unfortunately won't be able to export any systems from the tree of the old ePO given its state.

Sorry guys, little confused. We do have the old original keystore containing the old original master agent-server communication key. So, if I:

- Take the master key .zip file from the backup of the old server

- Go to Server Settings > Edit Security Keys on the new ePO

- Import the old master key

Then all of the old agents will then be able to communicate with the new server, and will be added to the Lost&Found group in the new system tree? And the old agents will receive the new master key as soon as an update task runs?

Re: Remanaging Agents by Importing Master Key after Losing ePolicy

I am unable to see any systems in new server although I transferred systems from old ePO.

Not only transferred systems but I am unable to find any system in Lost and Found.

I imported the 2048 keys from old ePO and I exported those keys to new ePO.

I also made them master key.

Now there are three master keys in new ePO. two of new ePO and one of exported from old ePO.

What can be the reason of agents to fail the connection with new server? Is there anyway to solve this problem from client side?

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 7

Re: Remanaging Agents by Importing Master Key after Losing ePolicy

No - as I mentioned earlier, this won't work. There are two layers to deal with here - the certificate used to establish SSL comms with the ePO server service, and the agent/server key pair used to authenticate against a given ePO server. You've only got the key pair - but you don't have the correct certificate, and so agent/server comms will fail at the first hurdle, as it were.

There's a bug in some versions of the agent where this might actually work - but it's definitely not something you should rely on.

HTH -

Joe