1 Reply Latest reply on Aug 13, 2014 9:03 AM by andrep1

    ePO 4.5 to ePO 4.6 Migration

    jkeeler13

      I am tasked with finding a way to migrate from an existing ePO 4.5 server to an ePO 4.6.7 server. The ePO 4.5 server will no longer be in use after the migration. The ePO 4.6.7 server will essentially assume the identity of the ePO 4.5 server - meaning it will have the same hostname, IP, etc. on the network.

       

      Is it possible to perform this migration WITHOUT:

      1. Touching the managed agents
      2. Migrating the ePO 4.5 database

       

      I have been able to export/import the agent-server communications secure keys. However, the managed agents are not able to authenticate to the new ePO 4.6.7 server because the Agent Handler is using a different Server Cert. Logs from the agent show that the CAfile (cabundle.cer) cannot be verified and curl is exiting with an error of 60:

      2014-08-11 20:19:27.046    X    #2852    naInet    url is https://192.168.0.1:7443/spipe/pkg?AgentGuid={DB ... C8FD}&Source=Agent_3.0.0

      2014-08-11 20:19:27.062    X    #2852    curl    021042d8 info 50 About to connect() to 192.168.0.1 port 443 (#0)`0a

      2014-08-11 20:19:27.062    X    #2852    curl    021042d8 info 25   Trying 192.168.0.1...

      2014-08-11 20:19:27.062    X    #2852    curl    021042d8 info 10 connected`0a

      2014-08-11 20:19:27.062    X    #2852    curl    021042d8 info 56 Connected to 192.168.0.1 (192.168.0.1) port 443 (#0)`0a

      2014-08-11 20:19:27.062    X    #2852    curl    021042d8 info 47 successfully set certificate verify locations:`0a

      2014-08-11 20:19:27.062    X    #2852    curl    021042d8 info 77   CAfile: C:\ProgramData\McAfee\Common Framework\cabundle.cer`0a  CApath: none`0a

      2014-08-11 20:19:27.078    X    #2852    curl    021042d8 info 147 SSL certificate problem, verify that the CA cert is OK. Details:`0aerror:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed`0a

      2014-08-11 20:19:27.078    X    #2852    curl    021042d8 info 22 Closing connection #0`0a

      2014-08-11 20:19:27.078    X    #2852    curl    021042d8 info 68 Peer certificate cannot be authenticated with known CA certificates`0a

      2014-08-11 20:19:27.078    X    #2852    naInet    curl returned 60

       

      Is it possible to migrate not only the keys, but also the Server Certs somehow?

       

      Thanks for your help!

        Jesse

        • 1. Re: ePO 4.5 to ePO 4.6 Migration
          andrep1


          An easy path for migration is to build a parallel server and use the transfer functionnality of ePO. Basically you share the certificates between ePO servers then mark a system for transfer. Two asci and it is done...

          But specifically to your question, it is one of those things I'd only do with support online because of the high risk of failure. The link below might have some information you are looking for.

          McAfee KnowledgeBase -