Loading...

Knowledge Center


Installation or upgrade to ePolicy Orchestrator fails when using SSL connection for SQL Server
Technical Articles ID:   KB87731
Last Modified:  6/11/2019
Rated:


Environment

McAfee ePolicy Orchestrator (ePO) 5.10.x, 5.9.x, 5.3.3
McAfee Web Gateway (MWG) 7.7, 7.6

Problem

A fresh install or upgrade of ePO 5.3.3 or later that connects to SQL over an SSL connection fails with an error similar to the following in the core-install.log or core-upgrade.log:

BUILD FAILED
The following error occurred while executing this line:
java.sql.SQLException: Network error IOException: Error creating premaster secret.

The exact wording of the error message might differ depending on the type of certificate used. 

Also, the following pop-up error might display:

Setup is unable to connect to the SQL Server "<IP of SQL server>" over a secure connection.

Problem

After an upgrade to ePO 5.3.3 or later, some registered servers that use SSL certificates are no longer able to connect. For example, if you have a registered LDAP server that uses an SSL connection, that connection might fail. 

Cause

ePO 5.3.3 and later ship with the updated RSA BSAFE libraries needed to address published security vulnerabilities. These updated libraries have increased security requirements and reject certain SSL connections for one of two reasons. The reasons are either because of the server certificate used by the SQL Server or other remote server, or the cipher suite chosen by the server during the SSL handshake.

The cause of this issue is often the Windows operating system is not up to date with the latest service packs and hotfixes. It can also happen when the server certificate has a public key size that is not considered secure by the RSA BSAFE libraries.

Solution

Manually reorder the cipher suites on the SQL Server with a Windows Group Policy. For detailed steps, see:
 

For the cipher suite list priority order, follow the order list found in the section New default priority order for these versions of Windows in the following article:
 

Solution

Install or update the certificate used by the SQL Server or other registered server. For more information about how to use a secured connection to the SQL Server, see KB84628.

NOTE: Other registered server types might also be affected if they use SSL. For example, if you have a registered LDAP server and you use the secure connection, the connection fails if the certificate provided by the LDAP server uses an RSA 1024-bit public key. The solution in this scenario is to update the certificate on the LDAP server to not use a 1024-bit RSA public key. 

Solution

ePO 5.10.0 and later
ePO has migrated away from the RSABSAFE library in favor of Bouncy Castle. This issue is far less likely to occur in the Bouncy Castle library, but it can occur if the cipher suite on the SQL Server is severely restricted.

The epo.java.security file, located in <ePOInstallDir>\Server\Conf\Orion, defines the list of ciphers that ePO can consume when acting as a client. In this scenario, ePO is the client and Microsoft SQL is the server.

Below is the list of ciphers present in the epo.java.security file in the base install package of ePO 5.10.0:

jtds.enabledCipherSuites="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA"

NOTE: An upgrade is successful as long as the cipher suite on your SQL Server contains a minimum of one of the above ciphers, regardless of the order.

Rate this document

Languages:

This article is available in the following languages:

English United States
Spanish Spain
Japanese

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.