7 Replies Latest reply on Oct 26, 2011 5:43 AM by JoeBidgood

    New (second) Master key




      I recently upgraded from epo 4.0 to 4.6, and I then began deploying McAfee agent over


      I notice that I now have two Master keys for the Agent-server secure communication keys. The new agents I deploy have the new key (which is 2048 bits long) while the machines not yet upgraded have the old one (1024 bits).


      1. Should I do something to switch everyone to the new key, or should I just wait for every machine to have the new agent and  then delete the old key?
      2. Where does this new key come from? From Epo 4.6, or from Agent, and why the need for a new key?


      Thank you.



        • 1. Re: New (second) Master key



          1) You can simply leave it until all the machines have the new agent. You don't actually need to remove the old one: I'd leave it alone.

          2) As far as I know, in order to be fully FIPS compliant, ePO needs to support 2048-bit keys. This was introduced in ePO 4.6 / MA 4.6: currently only these two versions are capable of using the 2048-bit keys.


          HTH -



          • 2. Re: New (second) Master key

            Hello Joe,


            did you notice the following scenario:


            1) An agent is upgraded from McAfee Agent 4.0/4.5 to 4.6

            2) A client product update task is scheduled to run at every policy enforcement


            At the first ASCI with the following product update task the update fails because the agent cannot decrypt the catalog.z file.

            It needs a second ASCI to get the keys and then can update correctly.


            Do you know why the security keys aren´t deployed instantly when installing the agent ?


            Thanks Tom

            PS: @PG13 - Sorry for "hijacking" your thread

            • 3. Re: New (second) Master key

              As far as I know the repository keys are not deployed as part of the install package: only the agent-to-server communication keys are. The repository keys are provided to the clients as part of the normal agent/server comms.

              I'm assuming therefore that when a machine reports to ePO that it has MA 4.5 or below, it is provided with the 1024bit repository keys. When you upgrade it to 4.6, it still has the 1024bit keys: it needs to talk to the server, at which point the server realises it's now a 4.6 agent and sends the 2048bit keys.


              HTH -



              • 4. Re: New (second) Master key

                Hi Joe,


                thanks for the quick insight - that would also explain why this was not happening with MA 4.5.

                But for further agent versions it would be great if the agent updates the keys in one ASCI. Currently it seems it is taking two ASCIs to get the repository keys.



                • 5. Re: New (second) Master key

                  Thanks Joe. I'll then just let  the old key die.


                  @metalhead: no problem for hijacking the thread; that is interesting stuff

                  • 6. Re: New (second) Master key

                    I just thought about your answer - what I do not understand is why the error occurs, because the 1024 bit key should be a valid key.

                    With which key is the catalog.z decrypted ?


                    Thanks Tom

                    • 7. Re: New (second) Master key

                      I don't know for certain: that was an educated guess    I'd have to test it to find out the exact sequence of key exchanges...


                      HTH -