Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
683 Views 5 Replies Latest reply: Jun 26, 2013 2:52 AM by rackroyd RSS
shavenj Newcomer 10 posts since
Jun 7, 2013
Currently Being Moderated

Jun 25, 2013 8:30 AM

Does updating the McAfee Agent secret/public key pair require reinstallation of the client?

Based on my reading of the documentation, the ePO key pair can go through key update process, but I found nothing that suggests an analogous process for the Agent....

  • rackroyd McAfee Mentor 953 posts since
    Feb 3, 2010

    if I understand correctly so long as the ePO server can still be contacted the agent would request a key exchange without having to reinstall.

    This assumes the ePO server has the right key information available to respond.


    If the ePO server does not recognise the agent key presented then you'd be left with an agent reinstall which would include a new key from the ePO server that it knows about, 

    or you would need to find and add the correct agent keys to the ePO server keystore.

  • Tristan Veteran 790 posts since
    Dec 8, 2009

    Depending on your infrastructure just pushing out a new agent is probably your easiest option.


    If you want to do it manaully then the information in this KB entry explains rackroyds re-install with new server key suggestion.

  It's a bit old (agent 4.0) but it should still apply to 4.6/4.8. There probably is a newer version somewhere but i had the link in my favourites.


    Basically you want the bit on keys.

    -- ====================

    Installing the agent with user-selected site information and user-selected keys
    Use this command to install the agent and specify a site list file and security keys (srpubkey.bin and reqseckey.bin) other than the defaults. This command is useful when upgrading an agent using framepkg_upd.exe. It specifies the server with which the agent communicates, irrespective of the site information embedded in the original installation package.

    The security keys must be located in the same folder as the site list. Use ePolicy Orchestrator to export the files:

    1. Export the siteinfo file:
      1. Select Software | Master Repository.
      2. Click Export Sitelist.
      3. Save the file to a new location.

    2. Export the security keys:
      1. Select Configuration | Server Settings | Security Keys, and click Edit.
      2. Select Master Agent-server secure communication key, and click Export.
      3. Save the files to the same location as the siteinfo file.

    -- =======================


    and this bit


    -- =======================

    Changing server

    Use this task to change the server with which a client communicates.

    The security keys must be located in the same folder as the site list.


    frminst.exe /siteinfo=<full path of target servers sitelist.xml file>


    -- =======================


    Message was edited by: Tristan on 25/06/13 16:40:56 IST
  • alexn Veteran 722 posts since
    Aug 9, 2012
    A) Does adding the agent keys to the ePO keystore need to be done through the API?

    B) Is there documentation about any process to inject 3rd party created keys or archived keys back into an Agent installation?


    A) NO

    B) NO

    Post Timings: 6.00 AM to 3.00PM PDT
  • rackroyd McAfee Mentor 953 posts since
    Feb 3, 2010

    Not through the API, and no you can't inject 3rd-party keys.


    You can however reinstall archived agent keys to the ePO server through the ePO console.


    In ePO 4.6 it's under:

    Menu - Configuration - Server Settings - Security Keys.


    Choose Edit, then Import.


    "Agent-Server Secure Communication Keys" are the other part of the secure keypair that will be requested by the agent.

More Like This

  • Retrieving data ...

Bookmarked By (0)


  • Correct Answers - 5 points
  • Helpful Answers - 3 points