Loading...

Knowledge Center


Agent-server communication fails after migration of Agent Handler certificates from SHA-1 to SHA-2
Technical Articles ID:   KB90182
Last Modified:  3/28/2019
Rated:


Environment

McAfee ePolicy Orchestrator (ePO) 5.9.1

Problem

The ePO Agent Handler certificate is not regenerated when activating the new certificate during the certificate migration process described in KB87017. Because of this failure, the Agent Handler shuts down and agents cannot communicate with the ePO server.

Server.log records the following errors:
 
E #00344 MCUPLOAD SecureHttp.cpp(694): Failed to send HTTP request to server <servername> for command name epo.command.isAgentHandlerCertValidCmd on port 8444. (error=12175)
E #00344 MCUPLOAD SecureHttp.cpp(883): Failed to process the secure communication request (error=12175)
E #00344 NAIMSERV servinit.cpp(633): The agent handler certificate check failed. This means that there is a discrepancy between the certificates stored 20171204160517 E #00344 NAIMSERV in the server keystore and the certificate used by this agent handler. This will cause communication failures with
E #00344 NAIMSERV any agents connecting to this agent handler, shutting down the Agent Handler.
I #00344 NAIMSERV Shutting down server...
.
.
20171204155758 I #04768 AHSETUP Using existing certificate files found in C:/Program Files (x86)/McAfee/ePolicy Orchestrator/Apache2\conf\ssl.crt\

The orion log might contain an error similar to the following:
 
services.EPOAgentHandlerCertService  - Failed to verify ahCert by caAhCert
java.security.SignatureException: Certificate verify failed!
 

System Change

You upgraded to ePO 5.9.1, and then followed the certificate migration process described in KB87017.

Cause

The Agent Handler regenerates its certificate during the migration process as described in KB87017. This issue occurs when the Agent Handler reuses the existing certificate instead of generating a new one, which causes agent-server communication to fail.

Solution

This issue is resolved in ePO 5.10, which is available from the Product Downloads site at: http://mcafee.com/us/downloads/downloads.aspx

NOTE: You need a valid Grant Number for access. KB56057 provides additional information about the Product Downloads site, and alternate locations for some products.

Updates are cumulative; Technical Support recommends that you install the latest one.

Solution

Apply ePO 5.9.1 Hotfix 1226775r (repost). Hotfix 1226775r prevents the issue from occurring.

IMPORTANT:
  • If the issue has already occurred, the hotfix does not resolve the issue.
  • If you already have the issue described in this article, continue to the Workaround section below. Also, the hotfix does not help you if you have already started the migration process. You either have to cancel the migration, or on completion of the migration, follow the steps in the Workaround section below.
McAfee product software, upgrades, maintenance releases, and documentation are available from the Product Downloads site at: http://www.mcafee.com/us/downloads/downloads.aspx.

NOTE: You need a valid Grant Number for access. KB56057 provides additional information about the Product Downloads site, and alternate locations for some products.

Workaround

IMPORTANT: This workaround is intended for use only in cases where the issue described in this article has already occurred. Any solution included in future product release that prevents the issue from occurring does not address the issue if it has already occurred.

To address the issue after it has occurred, manually regenerate the Agent Handler certificate on the ePO server and all Remote Agent Handlers:
  1. Press the Windows Key+R and type services.msc.
  2. Right-click the McAfee ePolicy Orchestrator Server service and click Stop.
  3. Rename the SSL.CRT folder (below) to SSL.CRT.OLD:

    Default ePO path: "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf\ssl.crt"
    Default Agent Handler path: "C:\Program Files (x86)\McAfee\Agent Handler\Apache2\conf\ssl.crt"
     
  4. Create a folder named SSL.CRT in the same path.
  5. Click Start, type cmd in the search field, right-click Command Prompt, and click Run as administrator.
  6. Change directories to your ePO installation directory:

    Default ePO path: "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\"
    Default Agent Handler path: "C:\Program Files (x86)\McAfee\Agent Handler\"
     
  7. Run the following command:
     
    Rundll32.exe ahsetup.dll RunDllGenCerts <ePO_server_name> <console_HTTPS_port> <admin_username> <password> <"installdir\Apache2\conf\ssl.crt">
     
    Where:
     
    <ePO_server_name> is your ePO server NetBIOS name or IP address

    NOTE: For Cluster ePO setups, use the Cluster/Virtual NetBIOS name in place of 'ePO_server_name' while generating the Agent Handler Certificate. Using a Node (Primary or Secondary) NetBIOS name causes an agent wake-up call to fail if the other Node (whose NetBIOS name is not used to generate the Agent Handler Certificate) is active.

    <console_HTTPS_port> is your ePO console port (default is 8443)
    <admin_username> is admin (use the default ePO admin console account)
    <password> is the password to the ePO admin console account
    <installdir\Apache2\conf\ssl.crt> is your installation path to the Apache folder

    Default installation paths:
     
    ePO path: "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf\ssl.crt"
    Agent Handler path: "C:\Program Files (x86)\McAfee\Agent Handler\Apache2\conf\ssl.crt"
     
    Example:
    Rundll32.exe ahsetup.dll RunDllGenCerts <ePO_server_name> 8443 administrator password "C:\Program Files\McAfee\ePolicy Orchestrator\Apache2\conf\ssl.crt"
     
    IMPORTANT:
    • ​​The referenced command fails if you have enabled User Account Control (UAC) on this server. If the server runs Windows Server 2008 or later, disable UAC.

      You can find more information about UAC at: http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx.
       
    • This command is case sensitive. The ahsetup.log (found in <installdir\Apache2\conf\ssl.crt>) provides information about whether the command succeeded or failed, and states whether it used the files located in the ssl.crt folder.
       
  8. Start the McAfee ePolicy Orchestrator Server service.
  9. Open DB/logs/server.log and verify the Agent Handler (Apache server) started correctly. A message similar to the following is recorded:

    ePolicy Orchestrator server started
If the issue persists, collect the following data before you contact Technical Support:
  • A MER result from the ePO server (PD22739)
  • A copy of <installdir>\Apache2\conf\ssl.crt\ahsetup.log

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Languages:

This article is available in the following languages:

English United States
Spanish Spain
Japanese

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.