1) You can simply leave it until all the machines have the new agent. You don't actually need to remove the old one: I'd leave it alone.
2) As far as I know, in order to be fully FIPS compliant, ePO needs to support 2048-bit keys. This was introduced in ePO 4.6 / MA 4.6: currently only these two versions are capable of using the 2048-bit keys.
did you notice the following scenario:
1) An agent is upgraded from McAfee Agent 4.0/4.5 to 4.6
2) A client product update task is scheduled to run at every policy enforcement
At the first ASCI with the following product update task the update fails because the agent cannot decrypt the catalog.z file.
It needs a second ASCI to get the keys and then can update correctly.
Do you know why the security keys aren´t deployed instantly when installing the agent ?
PS: @PG13 - Sorry for "hijacking" your thread
As far as I know the repository keys are not deployed as part of the install package: only the agent-to-server communication keys are. The repository keys are provided to the clients as part of the normal agent/server comms.
I'm assuming therefore that when a machine reports to ePO that it has MA 4.5 or below, it is provided with the 1024bit repository keys. When you upgrade it to 4.6, it still has the 1024bit keys: it needs to talk to the server, at which point the server realises it's now a 4.6 agent and sends the 2048bit keys.
thanks for the quick insight - that would also explain why this was not happening with MA 4.5.
But for further agent versions it would be great if the agent updates the keys in one ASCI. Currently it seems it is taking two ASCIs to get the repository keys.
Thanks Joe. I'll then just let the old key die.
@metalhead: no problem for hijacking the thread; that is interesting stuff
I just thought about your answer - what I do not understand is why the error occurs, because the 1024 bit key should be a valid key.
With which key is the catalog.z decrypted ?
I don't know for certain: that was an educated guess I'd have to test it to find out the exact sequence of key exchanges...