KeyStores with multiple certificates are not supported

Technical Articles ID: KB94586
Last Modified: 6/8/2021

Environment

McAfee ePolicy Orchestrator (ePO) 5.x
McAfee Management for Optimized Virtual Environments (MOVE)
McAfee Security Virtual Appliance (SVA)
McAfee MOVE AntiVirus Multi-Platform (MOVE AV Multi-Platform) 4.x

Problem

The SVA-manager is not registering with ePO and displays the following errors in SVAmanager.log:
Path: /opt/McAfee/movesvamanager/logs/

[Thread-47] INFO SSLConfigurationServiceImpl - successfully added cert to trust store
[Thread-47] INFO ServerServiceImpl - Creation of keystore and truststore files successfully
[Thread-47] INFO BrokerPolicyServiceImpl - created keystore and truststore
[Thread-47] INFO BrokerPolicyServiceImpl - stopping end point server to apply changes for client port change
[Thread-47] INFO BrokerPolicyServiceImpl - registered connector for SVA Manager-endpoint communication at port : 8080
[Thread-47] INFO BrokerPolicyServiceImpl - stopping oss server to apply changes for oss port change
[Thread-47] INFO BrokerPolicyServiceImpl - registered connector for SVA Manager-oss communication at port : 8443
[Thread-47] DEBUG CommandUtilities - Trying to open client port:8080 svm port:8443
[Thread-47] INFO BrokerConfig - Prop:cmd_to_open_firewall_port value:/opt/McAfee/movesvamanager/firewall_port_ch.sh
[Thread-47] DEBUG CommandUtilities - Executing cmd:/etc/init.d/sva-firewall stop
[Thread-47] DEBUG CommandUtilities - Command stream output:Stopping IP Firewall...done.
[Thread-47] DEBUG CommandUtilities - Command executed
[Thread-47] DEBUG CommandUtilities - Executing cmd:/opt/McAfee/movesvamanager/firewall_port_ch.sh 8443 8080
[Thread-47] DEBUG CommandUtilities - Command stream output:0
[Thread-47] DEBUG CommandUtilities - Command error stream output:sed: -e expression #1, char 6: unterminated `s' command
[Thread-47] DEBUG CommandUtilities - Command executed
[Thread-47] DEBUG CommandUtilities - Executing cmd:/etc/init.d/sva-firewall start
[Thread-47] DEBUG CommandUtilities - Command stream output:Starting IP Firewall...done.
[Thread-47] DEBUG CommandUtilities - Command executed
[Thread-47] DEBUG CommandUtilities - Changing firewall ports is done
[Thread-47] INFO BrokerPolicyServiceImpl - starting OSS and endpoint servers
[Thread-47] ERROR BrokerPolicyServiceImpl - Exception while applying SVA Manager server settings

java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory
(Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
at org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1277)
at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1259)

Cause

The remnant entries of MOVE 3.6.x in the database with old certificates cause the MOVE 4.9.x SVA-manager to fail to sync with ePO. To determine if these entires are sent from ePO, you need to validate the entries in svaManagerPolicy.xml file. This file is available in /opt/McAfee/movesvamanager/etc/svaManagerPolicy.xml.

If the XML file contains the following strings, it confirms that the old MOVE 3.6 entries are being sent from ePO.

<Setting name="brokerCert36"
<Setting name="brokerPrivateKey36"
<Setting name="caCert36"
<Setting name="brokerCert"
<Setting name="brokerPrivateKey"
<Setting name="caCert"

The svaManagerPolicy.xml must contain only the following strings:

<Setting name="brokerCert"
<Setting name="brokerPrivateKey"
<Setting name="caCert"

Also, you must check the ePO DB for old certificate information entries by running the SQL script below.

Log on to SQL Server Management Studio.
Right-click the McAfee ePO database and select New Query.
Copy and paste the SQL script shown below and click Execute to get the results.

Select * from EPOPolicySettingValuesMT where SettingName in ('brokercert36', 'brokerprivatekey36', 'cacert36')

The following screenshot shows an example output of the previous command, listing the certificate information.

To verify if the old entries with the Cert information shown are as similar to the image

To verify if the old entries with the Cert information shown are as similar to the image

Solution

To remove the remnants of MOVE 3.6 extensions from the ePO DB or ePO Console:

Back up the ePO DB. For more information, see KB52126 - How to back up and restore the ePolicy Orchestrator database using SQL Server Management Studio.
Remove the old MOVE 3.6 entries from the database by running the below query script against the ePO DB:

delete from eposoftware where productcode in
('MOVEBRKR3500',
'MOVEOSS_2600',
'MOVEVOFF2600',
'MVAGNTLS3000')
and ProductVersion = '3.6.1'

update EPOPolicySettingValuesMT set SettingValue = '' where SettingName in ('brokercert36', 'brokerprivatekey36', 'cacert36')

Restart the ePO Application Server services:
1. Press Windows+R. Type services.msc, click OK.
2. Right-click the following services and select Restart:

McAfee ePolicy Orchestrator x.x.x Application Server

McAfee ePolicy Orchestrator x.x.x Server

McAfee ePolicy Orchestrator x.x.x Event Parser

Wake up Agent on the SVA-Manager:
1. From ePO console, select Menu > Systems > System Tree.
2. Select the target group from the System Tree and click the Group Details tab.
3. Click Actions > Wake Up Agents.
After wakeup completes, reboot the SVM Manager system with the command reboot.

Affected Products

MOVE Antivirus Multi-platform
MOVE Antivirus Multi-platform 4.9.x
MOVE Antivirus Multi-platform 4.8.x

Languages:

This article is available in the following languages:

English United States
Spanish Spain
French
Italian
Portuguese Brasileiro

Knowledge Center

KeyStores with multiple certificates are not supported

Environment

Problem

Cause

Solution

Affected Products

Languages:

Title

Title

Knowledge Center

KeyStores with multiple certificates are not supported

Environment

Problem

Cause

Solution

Affected Products

Languages:

Choose your region

Title

Title