0 Replies Latest reply on Jun 1, 2017 5:57 AM by VriendP

    Certificate store implications when upgrading to ePO 5.9

    VriendP

      Good day,

       

      I'm attempting to perform an upgrade from ePO 5.3.2 to ePO 5.9 and have several questions.

       

      My first blind upgrade attempt failed and led me to kb87731, that deals with a secure SQL Server connection. The article refers to kb84628, which in turn describes the steps to follow under different circumstances. I ended up enabling certificate validation for the SQL database connection and using keytool.exe to add the SQL Server certificate to the cacerts certificate store (as well as adding it to the windows certificates, etc blah blah).

       

      Question 1: If I had a small network without a CA, it seems to me I'd need to setup a CA in order to get this working. This is simple enough, but could be an issue for many SMB customers and tempts to avoid using certs on the SQL connection. Would that still work?

       

      I applied all the steps in forementioned kb articles. During the upgrade to ePO 5.9, installation rolls back. Checking out core-rollback.log sheds a light as to why the installation rolls back, the error is:

       

      [downgrade-extension] java.lang.SecurityException: java.lang.SecurityException: JKS keystores cannot be loaded in FIPS-140 mode. Only PKCS12 PBES2 key stores are supported

       

      This error isn't documented on the McAfee domain, but it points to an issue with a certificate store. I'm not sure whether or not this is referring to the cacerts certificate store impacted by the keytool.exe procedure documented in kb84628, or another certificate store. The cacerts store is a JKS store anyway, and perhaps should be a PKCS12 store. I was feeling brave and used keytool.exe to convert the cacerts keystore to PKCS12 and restarted the ePO services. Everything seems to be running just fine, but the upgrade fails with the same error as before.

       

      Question 2: What's up with the keystore format error rollback, is this about the cacerts keystore or another keystore? Should I convert it, or is there another procedure to be followed? The error thrown in the core-rollback.log file is undocumented in the McAfee domain.

       

      Any advice is greatly appreciated!