Loading...

Knowledge Center


How to migrate ePO from a 32-bit system to a 64-bit system (or to a different installation path)
Technical Articles ID:  KB71078
Last Modified:  02/19/2014
Rated:


Environment

McAfee ePolicy Orchestrator (ePO) 5.x, 4.x

Summary

The following provides information on migrating an ePO system from 32-bit to 64-bit or to a different installation path.

Solution

IMPORTANT:
  • This procedure is intended for use by network and ePO administrators only. McAfee does not assume responsibility for any damage incurred because they are intended as guidelines for disaster recovery. All liability for use of the following information remains with the user.
  • The procedure is for use with ePO 4.5, 4.6, and 5.x servers only. For ePO 5.x users, it is preferable to use the built-in Disaster Recovery feature and only use these steps if a valid Snapshot was not created and a manual recovery is required.
NOTES:
  • The Agent uses either the last known IP address, DNS name, or NetBIOS name of the ePO server. If you change any one of these, ensure that the Agents have a way to locate the server. The easiest way to do this would be to retain the existing DNS record and change it to point to the new IP address of the ePO server. After the Agent is able to successfully connect to the ePO server, it downloads an updated SiteList.xml with the current information.
  • The procedure can also be used by customers who want to migrate the ePO server to another system. For ePO 5.x users, McAfee recommends that you use the built-in Disaster Recovery feature to migrate the ePO server to another system.

Before backing up
Stop the ePO services:
  1. Click Start, Run, type services.msc, and click OK.
  2. Right-click each of the following services and select Stop:

    McAfee ePolicy Orchestrator Application Server
    McAfee ePolicy Orchestrator Event Parser
    McAfee ePolicy Orchestrator Server

Backing up the database
Use one of the following methods to back up the SQL database (normally named ePO4_<ServerName>, where <ServerName> is your ePO 4.x server name):

See either of the following KnowledgeBase articles:
  • KB59562 - How to back up the ePO database using OSQL commands
  • KB52126 - How to back up and restore the ePO database using Enterprise Manager/ Management Studio

Backing up the file system
You must back up the following folder structures to a location that will be accessible from the new 64-bit system. For example, a network share. The default installation path is used and your installation might differ. Ensure that all files and subfolders are backed up.

C:\Program Files\McAfee\ePolicy Orchestrator\Server\Extensions
The default path to ePolicy Orchestrator software extension information.

C:\Program Files\McAfee\ePolicy Orchestrator\Server\conf
The default path to required files used by the ePolicy Orchestrator software extensions.

C:\Program Files\McAfee\ePolicy Orchestrator\Server\Keystore
These keys are specifically for ePolicy Orchestrator agent server communication and the repositories.

C:\Program Files\McAfee\ePolicy Orchestrator\DB\Software
All products that have been checked into the Master Repository are located here.

C:\Program Files\McAfee\ePolicy Orchestrator\DB\Keystore
The Agent to Server Communication and Repository Keys that are unique to your installation are located here. Failing to restore this folder will result in all client machines being unable to communicate with the server, and you will have to redeploy the agent to all machines. Additionally you will have to check in all deployable packages again.

C:\Program Files\McAfee\ePolicy Orchestrator\Apache2\conf
The server configuration settings for Apache, the SSL certificates needed to authorize the server to handle agent requests, and console certificates are located here.

NOTE: Failure to back up all of these directory structures will make it impossible to move your ePO installation to the new 64-bit system and will require a clean start, including the redeployment of agents to all client computers.


Install ePO on 64-bit system
  1. Because the new 64-bit system will have the same name as the existing 32-bit system and you will be using the same SQL server for the new database, delete the existing ePO database on the SQL server. If you do not know how to perform the MSSQL operation, refer to http://technet.microsoft.com/en-us/library/ms177419.aspx or contact Microsoft Support.
     
  2. Enable 8.3 naming convention so ePO can be installed:

    1. Click Start, Run, type regedit and click OK.
    2. Navigate to:

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]
       
    3. Change the NtfsDisable8dot3NameCreation value to 0.
    4. Restart the server.
       
  3. Install ePO on the 64-bit computer. Ensure that you install the same patch level as the existing ePO installation. 

    NOTE:
    You can verify the ePO patch level by looking at the Version field in the backed up Server.ini file (C:\Program Files\McAfee\ePolicy Orchestrator\DB\) and cross referencing it with article KB59938 - Version information for the ePolicy Orchestrator server. During the installation, ensure that you specify the same server ports as the current ePO installation.
     
  4. If your previous installation included Policy Auditor 5.x or MNAC 3.x, install the same version of Policy Auditor or MNAC (including any hotfixes).

Restore the database and files
  1. After installation is complete, stop and disable all ePO services:

    1. Click Start, Run, type services.msc and click OK.
    2. Right-click each of the following services and select Stop:

      McAfee ePolicy Orchestrator Application Server
      McAfee ePolicy Orchestrator Event Parser
      McAfee ePolicy Orchestrator Server 
       
    3. Double-click each of these services and change the Startup type to Disabled.
       
  2. Restore the database.
    NOTE: If you are restoring the database to a different SQL server, ensure that the account being used to access SQL in the existing ePO installation also exists and has the same rights on the new SQL server. (For example, if you are using the sa account to access SQL for the existing installation, ensure that the sa account is enabled and has the same password in the new installation.)

    You have to update the restored DB.PROPERTIES file in C:\Program Files (x86)\McAfee\ePolicy Orchestrator\server\conf\Orion with the new information before starting the server. This will be covered later.
     
  3. Delete the following folders, replacing them with the corresponding folders that were backed up earlier:

    C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\Extensions
    C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\conf
    C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\Keystore
    C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Software
    C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Keystore
    C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf
  4.  
Edit files
  1. Navigate to C:\Program Files (x86)\McAfee\ePolicy Orchestrator\SERVER\conf\catalina\localhost and edit all the XML files in a text editor to reflect the 64-bit path where they are now located:

    C:\Program Files (x86)\McAfee\ePolicy Orchestrator\SERVER\conf\catalina\localhost

    For example, change the contents of rs.xml as follows:

    From:
    <Context docBase="C:/Program Files/McAfee/ePolicy Orchestrator/Server/extensions/installed/rs/2.0.1/webapp"
    privileged="true" antiResourceLocking="false" antiJARLocking="false"></Context>

    To:
    <Context docBase="C:/Program Files (x86)/McAfee/ePolicy Orchestrator/Server/extensions/installed/rs/2.0.1/webapp"
    privileged="true" antiResourceLocking="false" antiJARLocking="false"></Context>

    NOTE: If there is a file called deployer.xml present, do not edit it. This is in a different format to the other XML files.

    You can do this fairly easily by opening all files but deployer.xml in a multi-tab text editor like notepad++ and doing a replace in all files “Files/” with “Files (x86)/”. Alternatively, you can use the SQL Server Management Studio Replace in Files feature (Edit, Find and Replace, Replace in Files) to achieve similar results. For more details on how to use this feature, refer to SQL Server Books Online.
      
  2. Determine the 8.3 notation form of the Program Files (x86) folder:

    1. Click Start, Run, type cmd, and click OK.
    2. To change to the root, type the following command and press ENTER.

      CD\
       
    3. To list the directory structure, type the following command and press ENTER.

      dir /x

      Choose the PROGRA~ that refers to the Program Files (x86) folder. The most common form is PROGRA~2.
       
  3. Open each of the following .conf files in a text editor (Notepad) and do the following:

    C:\Program Files (x86)\McAfee\ePolicy Orchestrator\APACHE2\conf\httpd.conf
    C:\Program Files (x86)\McAfee\ePolicy Orchestrator\APACHE2\conf\ssl.conf

    1. Locate all lines with the old 32-bit path, replacing all of these to reflect the 64-bit path that was determined in Step 2.

      For example, change the following:

      From:
      ServerRoot “C:/PROGRA~1/McAfee/EPOLIC~1/”

      To:
      ServerRoot “C:/PROGRA~2/McAfee/EPOLIC~1/”
       
    2. Click Edit, Replace.
    3. Type the "old path" (32-bit) in the Find what field.
    4. Type the "new path" (64-bit) in the Replace with field.
    5. Click Replace All.
      NOTE: There will be multiple places in this file where this path will be modified.
       
    6. Save the changes.
       
       
  4. If MNAC 3.x is installed:

    1. Click Start, Run, type explorer and click OK.
    2. Navigate to: C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\Extensions\Installed\NAC\x.x.x.xxx\conf\nacserver.properties
    3. Modify the path for servlet.cert.keyStoreLocation as follows:

      From: 
      C:/PROGRA~1/McAfee/EPOLIC~1/server/extensions/installed/NAC/3.2.1.148/keystore/nacsub.keystore

      To:
      C:/PROGRA~2/McAfee/EPOLIC~1/server/extensions/installed/NAC/3.2.1.148/keystore/nacsub.keystore
         
  5. Edit C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\bin\setenv.bat and change the paths on the lines starting with:

    set JAVA_OPTS=
    set JRE_HOME=
     
  6. Edit C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\bin\setenv.sh (if present) and change the paths on the lines starting with:

    export CATALINA_HOME=
    export JAVA_OPTS=
    export JRE_HOME=
     
  7. Edit C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\conf\epo\epo.properties and change the paths on the lines starting with:

    epo.install.dir
    epo.db.dir
     
  8. Edit C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\conf\orion\log-config.xml and change the paths on the lines starting with < param name="File".

    NOTE: There are two places where this line exists – under the “Standard log file” and “Rolling log file” sections.
     
  9. Edit C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\conf\orion\orion.properties and change the paths on the lines starting with:

    extension.install.dir
    extension.tmp.dir
     
  10. If you restored the database to a different SQL server, edit C:\Program Files (x86)\McAfee\ePolicy Orchestrator\server\conf\Orion\db.properties and update the following entries with the correct information:

    db.database.name
    db.instance.name
    db.port
    db.user.name
    db.server.name
     
Enable/start services:
  1. Enable all ePO services to start automatically on system start up:

    1. Click Start, Run, type services.msc and click OK.
    2. Double-click each of the following services and change Startup type to Automatic:

      McAfee ePolicy Orchestrator Application Server
      McAfee ePolicy Orchestrator Event Parser
      McAfee ePolicy Orchestrator Server
       
  2. Start the McAfee ePolicy Orchestrator Application Server service only.
  3. Attempt to log on to the ePO console. If you are unable to login, review the all the steps performed in this article and ensure that they have been properly completed.  If you cannot resolve the console log on issue, contact McAfee Support for further assistance before proceeding.

    NOTE: You must be able to login for the rest of the recovery steps to work. 
     
  4. Rename the SSL.CRT folder (see path below) to SSL.CRT.OLD and manually create an empty folder named SSL.CRT in the same path, otherwise the setup will fail to create a new certificate: 

    64-bit: "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf\ssl.crt"
     
  5. Click Start, Run, type cmd and click OK.
     
  6. Change directories to your ePO installation directory (this would now be: C:\Program Files (x86)\McAfee\ePolicy Orchestrator\).
     
  7. Run the following command:

    IMPORTANT:
    - This command will fail if User Account Control (UAC) is enabled on this server. If this is a Windows Server 2008 or later, disable this feature. You can find more information about UAC at: http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx.
    - This command is case-sensitive. The ahsetup.log (found in <installdir\Apache2\conf\ssl.crt>) provides information about whether the command succeeded or failed and will state if it used the files located in the ssl.crt folder:

    Rundll32.exe ahsetup.dll RunDllGenCerts <eposervername> <console HTTPS port> <admin username> <password> <"installdir\Apache2\conf\ssl.crt">

    Where:
    <eposervername> is your ePO server's NetBios Name
    <console HTTPS port> is your ePO Console Port (default is 8443)
    <admin username> is admin (use the default ePO admin account)
    <password> is the password to the ePO Admin console account
    <installdir\Apache2\conf\ssl.crt> is your installation path to the Apache folder (this would now be: C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf\ssl.crt)

    Example:
    Rundll32.exe ahsetup.dll RunDllGenCerts eposervername 8443 administrator password "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf\ssl.crt"

     
  8. Start the remaining ePO services listed below:

    McAfee ePolicy Orchestrator Event Parser
    McAfee ePolicy Orchestrator Server
     
  9. Look in the DB\logs\server.log to ensure that the Agent Handler (Apache server) started correctly. It should state something similar to the following:

    20090923173647 I #4108 NAIMSRV ePolicy Orchestrator server started.

    If it does not, there will be an error similar to the following:

    20090923173319 E #4736 NAIMSRV Failed to get server key information.
      

Rate this document

Did this article resolve your issue?

Please provide any comments below

Glossary of Technical Terms


Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.
United States - English
© 2003-2013 McAfee, Inc.