Loading...

Knowledge Center


Configurations for ePolicy Orchestrator certificate validation issue for secure database connection (SB10120)
Technical Articles ID:   KB84628
Last Modified:  9/30/2019
Rated:


Environment

McAfee ePolicy Orchestrator (ePO) 5.x

Summary

ePO does not validate the certificate used for a secure database connection, which could lead to a Man-in-the-Middle (MitM) type of attack. For more information, see SB10120.
 
Enforcing Certificate Validation
After you upgrade to ePO 5.3.0 or later, there are additional steps that an ePO administrator must configure through the user interface. These steps are needed to enforce the certificate validation fixes included in both versions. 

Creating an IPsec tunnel for Remote Agent Handlers
Additional steps are required to secure the Remote Agent Handler (AH) to database communication. This scenario is the only configuration not fully addressed by the code changes related to this fix. Engineering was not able to backport all code changes needed into the McAfee Agent Handler code base and maintain backward compatibility through the limitations of several third-party libraries, referred to as Configuration 3 below.

Recommended Actions
  • ePO 5.3 and later, users must apply the steps in Configurations 1 (A)1 (B), and Configuration 2 below.
  • ePO 5.0.x and 5.1.x users must upgrade to ePO 5.1.2, and apply the steps in Configurations 1 (A), 1 (B), and 1 (C) below. 
    NOTE: These ePO versions are End of Life.
  • ePO 4.6.x users must upgrade to ePO 4.6.9, and apply the steps in Configuration 1 (A), Configuration 2, and Configuration 3 below.
    NOTE: This ePO version is End of Life.
Prerequisites
Do one of the following before performing the procedures in this article:
  • Option 1: If you do not have a CA certificate and machine-issued CA signed certificate, follow these steps:
    1. Set up a Root Certificate Authority (CA) using OpenSSL, certtool.exe, XCA tool, or similar tool.
    2. Create a Root CA Certificate, create an Intermediate CA, and issue a computer certificate for the SQL Server using the Intermediate CA certificate.
    3. Install the system certificate issued by the Intermediate CA certificate on the SQL Server and enable Force Encryption on the SQL Server.
       
  • Option 2: If you already have a CA certificate and machine-issued CA signed certificate, install the machine-issued CA certificate to the SQL Server and enable Force Encryption.
NOTES:
  • Ensure that you have generated a Root Certificate Authority to perform the steps in this article. To obtain the Root Certificate Authority (CA), contact your third-party CA or Enterprise CA.
  • The computer certificate must be issued to a fully qualified domain name (FQDN) that is resolvable on the ePO server. Do not rely on Subject Alternative Names because they do not work for this purpose.

Solution

Click to expand the section you want to view:

(A) Enforce certificate validation from the ePO server to the database:
  1. Log on to the ePO console.
  2. Go to the Configure Database Settings page: https://<ePO_server_name>:port/core/config
  3. In the SSL communication with database server section, select Always use SSL and require a CA-signed server certificate.

    NOTE: The selectable text displayed might vary based on the version of ePO installed.
     
  4. Check the certificate validation by clicking Test Connection. The connection response message is displayed as "Test failed: Network error IOException: Certificate not verified."

    NOTE: Future ePO versions might display this error as "Test failed: Network error IOException: bad_certificate(42)."
     
  5. Click Apply.
  6. For the connection to be successful, the default Java trust store must trust the certificate configured in the SQL Server. To trust a certificate, that certificate needs to be in the trust store. Import the SQL Server certificate into the Java trust store using the following commands:
     
    • ePO 5.10:

      CD c:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\lib\security

      "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\bin\keytool.exe" -import -alias SOME_UNIQUE_NAME -file CA_CERTIFICATE -keystore cacerts -storetype jks


      Where 'SOME_UNIQUE_NAME' is the alias name used to identify the imported certificate in the keystore. 'CA_CERTIFICATE' is the local path to the CA certificate that is used to sign the certificate configured on the SQL Server.

      NOTE: The keystore password is changeit.

      Example: "c:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\bin\keytool.exe" -import -alias MySQLServerCertificate -file sqlserver.cer -keystore cacerts

      NOTE: The above example command assumes that sqlserver.cer is placed in the current working directory. For example, c:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\lib\security.
       
    • ePO 5.3.3 and later:

      CD C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\keystore

      "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\bin\keytool.exe" -import -alias SOME_UNIQUE_NAME -file CA_CERTIFICATE -keystore cacerts.p12 -storetype pkcs12​
       
    • ePO 5.3.2 and earlier:

      CD C:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\lib\security

      "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\bin\keytool.exe" -import -alias SOME_UNIQUE_NAME -file CA_CERTIFICATE  -keystore cacerts

       
  7. Import the CA certificate into the Windows certificate store, Trusted Root Certificate Authority. This step is required to enforce certificate validation between the local Agent Handler and the SQL database.
  8. Click Apply.
  9. Restart the ePO services:
    1. Click Start, Run, type services.msc, and click OK.
    2. Right-click the following services and select Restart:

      McAfee ePolicy Orchestrator x.x.x Application Server
      McAfee ePolicy Orchestrator x.x.x Server
      McAfee ePolicy Orchestrator x.x.x Event Parser

       
  10. Log on to the ePO console, navigate to https://<ePO_server_name>:port/core/config, and test the database connection.

    The database test is successful.

(B) Enforce certificate validation from the Remote Agent Handler to the database:
  • If the Remote Agent Handler is not already installed:
    1. Import the CA certificate into the Windows certificate store, Trusted Root Certificate Authority of the Agent Handler system.
    2. Install the Agent Handler by directing it to the ePO server. The Agent Handler services are installed with the certificate validation option set. The Agent Handler uses the CA certificate in the Windows certificate store to connect to the database and validate the SQL Server certificate.
  • If the Remote Agent Handler is already installed:
    1. Import the CA certificate into the Windows certificate store, Trusted Root Certificate Authority of the Remote Agent Handler system.
    2. Edit C:\Program Files (x86)\McAfee\Agent Handler\DB\db.properties and set the db.param.ssl=authenticate.
    3. Restart all Agent Handler services.
(C) Enforce certificate validation from the ePO server to the remote SQL Server for roll-up reporting communication:
  1. Import the CA certificate used to sign the certificate issued to the roll-up ePO SQL database into the default Java trust store. To do this import, navigate to the following directory and use the keytool to import the certificate and trust the certificate:
    • ePO 5.10:

      CD C:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\lib\security

      "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\bin\keytool.exe" -import -alias SOME_UNIQUE_NAME -file CA_CERTIFICATE  -keystore cacerts -storetype jks


      Where 'SOME_UNIQUE_NAME' is the alias name used to identify the imported certificate in the keystore. 'CA_CERTIFICATE' is the local path to the CA certificate that is used to sign the certificate configured on the SQL Server.

      NOTE: The keystore password is changeit.
       
    • ePO 5.3.3 and later:

      CD C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\keystore

      "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\bin\keytool.exe" -import -alias SOME_UNIQUE_NAME -file CA_CERTIFICATE -keystore cacerts.p12 -storetype pkcs12​

       
    • ePO 5.3.2 and earlier:

      CD C:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\lib\security

      "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\bin\keytool.exe" -import -alias
      SOME_UNIQUE_NAME -file CA_CERTIFICATE -keystore cacerts

  2. Open the Registered Server UI and configure the Registered Server of server type ePO:
    1. Click Menu, Configuration, Registered Servers.
    2. Select a server type of ePO.
    3. Configure all details of the remote ePO database and for SSL communication with the database server, select Always use SSL and require a CA-signed server certificate.
    4. Click Save.
       
  3. Restart the ePO services:
    1. Click Start, Run, type services.msc, and click OK.
    2. Right-click the following services and select Restart:

      McAfee ePolicy Orchestrator x.x.x Application Server
      McAfee ePolicy Orchestrator x.x.x Server
      McAfee ePolicy Orchestrator x.x.x Event Parser

       
    3. After a successful restart of all ePO services, log on to the ePO console, edit the above configured ePO Registered Server, and test the connection.

      The database connection is successful.
Back to top

  1. Import the CA certificate used to sign the certificate of the rollup ePO SQL database into the ePO Java default Java trust store. To complete this step, navigate to the following directory and use the keytool to import the certificate and trust the certificate:
     
    • ePO 5.3.3 and later:

      CD C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\keystore

      "c:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\bin\keytool.exe" -import -alias SOME_UNIQUE_NAME -file CA_CERTIFICATE -keystore cacerts.p12 -storetype pkcs12


      Where 'SOME_UNIQUE_NAME' is the alias name used to identify the imported certificate in the keystore. 'CA_CERTIFICATE' is the local path to the CA certificate that is used to sign the certificate configured on the SQL Server.

      NOTE: The keystore password is changeit.
       
    • ePO 5.3.2 and earlier:

      CD c:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\lib\security

      "c:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\bin\keytool.exe" -import -alias SOME_UNIQUE_NAME -file CA_CERTIFICATE -keystore cacerts
       
  2. Open the Registered Server UI and configure the Registered Server of server type ePO:
    1. Click Menu, Configuration, Registered Servers.
    2. Select a server type of ePO.
    3. Configure all details of the remote ePO database and for SSL communication with database server, select Always use SSL.
    4. Click Save.
       
  3. Using Microsoft SQL Server Management Studio, connect to the database and manually update the value of db.param.ssl to authenticate in the URL column of the OrionRegisteredServers table.
  4. Restart the ePO services:
    1. Click Start, Run, type services.msc, and click OK.
    2. Right-click the following services and select Restart:
       
      McAfee ePolicy Orchestrator x.x.x Application Server
      McAfee ePolicy Orchestrator x.x.x Server
      McAfee ePolicy Orchestrator x.x.x Event Parser
     
  5. After a successful restart of all ePO services, log on to the ePO console, edit the above configured ePO Registered Server, and test the connection.

    The database connection is successful.
Back to top

  1. Start the IP Security Policies Snap-in Configuration Utility. This utility is a snap-in module for the Microsoft Management Console (MMC).
    1. Start the MMC. Click Start, Run, type MMC, and click OK.
    2. If the IP Security Policies Snap-in Configuration Utility is not loaded, use the following procedure to add it:
      1. From the MMC window, click File, Add/Remove Snap-in.
      2. From the Add/Remove Standalone Snap-in window, click Add.
      3. From the Add Standalone Snap-in window, select IP Security Monitor and IP Security Policy Management, and then click Add.
      4. In the Select Computer or Domain window, select Local computer

        In this procedure, we are configuring IP Security for the local computer.
         
      5. Click Finish.
      6. Close the Add Standalone Snap-in window.
      7. Close the Add/Remove Snap-in window by clicking OK.
         
  2. Create an IP Security Policy. An IP Security Policy is a set of IPsec configuration parameters.
     
    NOTE: Only one local IP Security Policy can be active, or assigned on a system at a time. Assigning another policy automatically unassigns the currently assigned policy. To assign this policy to many computers, use Group Policy.
     
    1. In the left navigation pane of the IP Security Policy Management snap-in, click IP Security Policies on Local Computer to display all IP Security Policies.

      Depending on your Windows platform, there might be IP Security Policies already configured.
       
    2. Right-click IP Security Policies on Local Computer and select Create IP Security Policy.

      The Policy wizard starts and displays a start-up message.
       
    3. Click Next. The Policy wizard opens the IP Security Policy Name window.
    4. Type a name in the Name field. This name is used only for internal identification.
    5. Click Next. The Policy wizard opens the Requests for Secure Communication window.
    6. Deselect the Activate the default response rule check box.
    7. Click Next. The Policy wizard opens the Completing the IP Security policy wizard window.
    8. Select the Edit properties check box if it is not already selected.
    9. Click Finish. The IP Security configuration utility opens the Policy Properties dialog box.

      The title of the window is <name> Policy, where name is the policy name.
       
  3. Add an IPsec Rule to the IP Security Policy. The primary purpose of a rule is to assign actions to filters. A rule also specifies IKE authentication methods.
    1. Select the Rules tab in the Policy Properties dialog box. Deselect the Use Add wizard box check box if it is selected, and click Add.

      The IP Security configuration utility opens the Rule Properties dialog box, which has a tab for each category of rule configuration data: IP Filter List, Filter Action, Authentication Methods.
       
    2. Configure IKE authentication with a preshared key:
      1. Select the Authentication Methods tab from the Rule Properties dialog box, and click Add to open the Authentication Method dialog box
      2. To use IKE authentication with a preshared key, select Use this string and specify the preshared key. Do not enclose the key in double quotes. Click OK
      3. Move the preshared key authentication type to the top.
         
    3. Create an IP Filter list:
      1. Select the IP Filter tab from the Rule Properties dialog box. The IP Filter List tab shows a list of filters already defined for IP Security Policies.

        Each rule can have only one filter list, but the filter list can specify multiple filters.

        In this example, create a filter list that contains one filter.
         
      2. Click Add at the bottom of the dialog box. The IP Security configuration utility opens the IP Filter List dialog box.
      3. Type a name for the filter list in the Name field. This name is used only for internal identification. Optionally, add a description.
      4. Deselect the Use Add Wizard check box if it is selected.
      5. Click Add.
      6. Select the Addressing tab in the Filter Properties dialog box.

        Use the drop-down lists to specify the address types for the source and destination addresses. The selections are:
        • My IP address
        • Any IP address
        • A specific DNS Name
        • A specific IP address
        • A specific IP Subnet
           
      7. Enter the source address as MY IP address and for destination addresses specify the destination IP subnet, for example, 10.213.6.0/24, or a specific IP address.
      8. To see traffic in both directions, select the Mirrored option, then click OK twice.
      9. Select the IP Filter List.
         
    4. Create an IPsec filter action. Configuring filter actions for the rule specifies the action to take for the rule, such as allow (pass), block (discard), or negotiate security (negotiate IPsec AH or ESP Security Associations).

      If you select negotiate security, the filter action also specifies parameters for IPsec Security Association (SA) proposals: ESP or AH transforms and IPsec SA key lifetimes. A rule can have only one filter action, but the filter action can specify multiple IPsec SA proposals.

      Specify the order for the IPsec SA proposals:
      1. Select the Filter Action tab from the Rule Properties dialog box. The Filter Action tab shows a list of filter actions already defined for IP Security.

        In this procedure, create a filter action.
         
      2. Deselect the Use Add Wizard check box if it is selected and click Add. The IP Security configuration utility opens the Filter Action Properties dialog box.
      3. Select the Security Methods tab, then select Negotiate security.
      4. Verify that the following check boxes are selected:
        • Accept unsecured communication, but always respond using IPsec
        • Allow unsecured communication with non-IPSec-aware computer
           
      5. Click Add. The IP Security configuration utility opens the Security Method dialog box.
      6. Select Integrity & Encryption and click OK.
      7. Select this Filter action and click Apply and then OK.
      8. Ensure that the rule is also selected.
         
  4. Configure the exact same IP Security Policy on the SQL Server hosting the ePO database.
  5. On both the systems, right-click the configured policy and select Assign.
  6. Use Wireshark to confirm that the traffic between the Agent Handler and the database is going over the IPsec tunnel.
Back to top


IMPORTANT: This solution is only required if you have already configured an encrypted SQL connection for ePO, but then applied an upgrade, update, or hotfix which incremented the version of Java that ePO uses.
 
(A) Import the SQL Server certificate into the Java trust store:
  1. Import the SQL Server certificate into the Java trust store using the following commands:
     
    • ePO 5.3.3 and later:

      CD C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\keystore


      "c:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\bin\keytool.exe" -import -alias SOME_UNIQUE_NAME -file CA_CERTIFICATE -keystore cacerts.p12 -storetype pkcs12​

      Where 'SOME_UNIQUE_NAME' is the alias name used to identify the imported certificate in the keystore. 'CA_CERTIFICATE' is the local path to the CA certificate that is used to sign the certificate configured on the SQL Server.

      Example: "c:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\bin\keytool.exe" -import -alias MySQLServerCertificate -file sqlserver.cer -keystore cacerts

      NOTES:
      • The keystore password is changeit.
      • The above example command assumes that sqlserver.cer is placed in the current working directory. For example, c:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\lib\security.
         
    • ePO 5.3.2 and earlier:

      CD c:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\lib\security

      "c:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\bin\keytool.exe" -import -alias SOME_UNIQUE_NAME -file CA_CERTIFICATE -keystore cacerts

       
  2. Import the CA certificate into the Windows certificate store, Trusted Root Certificate Authority.

    NOTE: This step is required to enforce certificate validation between the local Agent Handler and the SQL database.
     
  3. Click Apply.
  4. Restart the ePO services:
     
    1. Click Start, Run, type services.msc, and click OK.
    2. Right-click the following services and select Restart:

      McAfee ePolicy Orchestrator x.x.x Application Server
      McAfee ePolicy Orchestrator x.x.x Server
      McAfee ePolicy Orchestrator x.x.x Event Parser

       
  5. Log on to the ePO console, navigate to https://<ePO_server_name>:port/core/config, and test the database connection.

    The database test is successful.

(B) Import the CA certificates into the Java trust store on rollup server - only required if rollup reporting is configured:
  1. Import the CA certificate used to sign the certificate issued to the rollup ePO SQL database into the default Java trust store. To complete this step, navigate to the following directory and use the keytool to import the certificate and trust the certificate:
    • ePO 5.3.3 and later:

      CD C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\keystore

      "c:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\bin\keytool.exe" -import -alias SOME_UNIQUE_NAME -file CA_CERTIFICATE -keystore cacerts.p12 -storetype pkcs12


      Where 'SOME_UNIQUE_NAME' is the alias name used to identify the imported certificate in the keystore. 'CA_CERTIFICATE' is the local path to the CA certificate that is used to sign the certificate configured on the SQL Server.

      NOTE: The keystore password is changeit.
       
    • ePO 5.3.2 and earlier:

      CD c:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\lib\security

      "c:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\bin\keytool.exe" -import -alias SOME_UNIQUE_NAME -file CA_CERTIFICATE -keystore cacerts

       
  2. Restart the ePO services:
    1. Click Start, Run, type services.msc, and click OK.
    2. Right-click the following services and select Restart:

      McAfee ePolicy Orchestrator x.x.x Application Server
      McAfee ePolicy Orchestrator x.x.x Server
      McAfee ePolicy Orchestrator x.x.x Event Parser

       
    3. After a successful restart of all ePO services, log on to the ePO console, edit the above configured ePO Registered Server, and test the connection.

      The database connection is successful.
Back to top

Rate this document

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.