6 Replies Latest reply on Mar 20, 2015 11:21 AM by JoeBidgood

    Remanaging Agents by Importing Master Key after Losing ePolicy

    robkav99

      Hello all, bit of a worst case scenario here.

       

      Following some poor patching, ePolicy was not able to connect to our database. A colleague reverted to a backup of our application server, but we did not have a backup of our database. After speaking with McAfee, we've been told the restored version of our application server will not able to connect to our database, so we have had to start from scratch.

       

      However, I've noticed that we have a backup of the keystore from before the bad patching. Now, what I was thinking is that we could extract the master key from the old keystore, import it into our new ePolicy, and that way be able to manage our agents again (which are not talking to the new server, as it's generated a different master key).

       

      What I was wondering is if anyone knows the implications of doing this. Obviously it's quite an all-or-nothing approach, presumably as soon as we import the old key our new ePo server (same hostname, same IP) will be able to communicate with all the old agents and start managing them. However, I'm not sure how this will happen exactly. Will all the old agents be added as systems under My Organisation on the next agent-server communication? Will I need to create systems in the tree but not have to deploy agents? Am I talking complete rubbish? Thanks in advice for any advice. The product is fairly new to me.

        • 1. Re: Remanaging Agents by Importing Master Key after Losing ePolicy
          Peter M

          Moved from Community Help to Business > ePO for better support.

          ----

          Peter

          Moderator

          • 2. Re: Remanaging Agents by Importing Master Key after Losing ePolicy
            JoeBidgood

            I hate to be the bearer of bad tidings, but I'm afraid this won't work. Without the original DB and keystore, the certificate chain is broken, which means the clients won't get past the first step of talking to ePO via SSL.

            Unfortunately probably the quickest and most reliable approach here will be to redeploy the agent from the new server.

             

            Sorry

             

            Joe

            • 3. Re: Remanaging Agents by Importing Master Key after Losing ePolicy
              ansarias

              Will all the old agents be added as systems under My Organization on the next agent-server communication? - Yes but they will be landed into L&F group.

               

              Will I need to create systems in the tree but not have to deploy agents?

              Better Export the system from system tree from old ePO server if available and import into new ePO server. So once system communicates to ePO console they will be report into right group.

              • 4. Re: Remanaging Agents by Importing Master Key after Losing ePolicy
                robkav99

                Unfortunately won't be able to export any systems from the tree of the old ePO given its state.

                 

                Sorry guys, little confused. We do have the old original keystore containing the old original master agent-server communication key. So, if I:

                - Take the master key .zip file from the backup of the old server

                - Go to Server Settings > Edit Security Keys on the new ePO

                - Import the old master key

                 

                Then all of the old agents will then be able to communicate with the new server, and will be added to the Lost&Found group in the new system tree? And the old agents will receive the new master key as soon as an update task runs?

                • 5. Re: Remanaging Agents by Importing Master Key after Losing ePolicy
                  needsupport2015

                  I am unable to see any systems in new server although I transferred systems from old ePO.

                   

                  Not only transferred systems but I am unable to find any system in Lost and Found.

                   

                  I imported the 2048 keys from old ePO and I exported those keys to new ePO.

                  I also made them master key.

                   

                  Now there are three master keys in new ePO. two of new ePO and one of exported from old ePO.

                   

                  What can be the reason of agents to fail the connection with new server? Is there anyway to solve this problem from client side?

                  • 6. Re: Remanaging Agents by Importing Master Key after Losing ePolicy
                    JoeBidgood

                    No - as I mentioned earlier, this won't work. There are two layers to deal with here - the certificate used to establish SSL comms with the ePO server service, and the agent/server key pair used to authenticate against a given ePO server. You've only got the key pair - but you don't have the correct certificate, and so agent/server comms will fail at the first hurdle, as it were.

                     

                    There's a bug in some versions of the agent where this might actually work - but it's definitely not something you should rely on.

                     

                    HTH -

                     

                    Joe