ePolicy Orchestrator server backup and disaster recovery procedure
Technical Articles ID:
KB66616
Last Modified: 3/31/2021
Environment
McAfee ePolicy Orchestrator (ePO) 5.x
Summary
This article provides information about the backup and disaster recovery process for the ePO server.
IMPORTANT:
This procedure is provided for use by network and ePO administrators. McAfee does not assume responsibility for any damage incurred because the article is intended as a guideline for disaster recovery. All liability for use of the following information remains with the user.
It is preferable to use the built-in Disaster Recovery feature. Only use this article if a snapshot was not created, and a manual recovery is needed.
For information about the Disaster Recovery feature, see the Restoring McAfee ePO section of the ePolicy Orchestrator 5.10 Installation Guide.
You must follow the instructions in the stated article below, if you are either:
Migrating from a 32-bit to a 64-bit operating system
Or
The agent uses either the last known IP address, DNS name, or NetBIOS name of the ePO server. If you change any one of these values, make sure that the agents have a way to locate the server. The easiest way is to retain the existing DNS record and change it to be directed to the new IP address of the ePO server. After the agent successfully connects to the ePO server, it downloads an updated Sitelist.xmlwith the current information.
You can also use this procedure if you want to migrate the ePO server to another system. But, it is preferable to use the built-in Disaster Recovery feature to migrate the ePO server to another system.
Reimport the certificate if you imported a certificate to the Java certificate store after following the process in KB84628. Complete this task after you do one of the following:
Complete an upgrade
Take a snapshot recovery
Implement a disaster recovery
Preparation
Make sure that you restore the same version of ePO Server and Update.
For a smooth recovery, do not perform a backup while the server is in the process of installing an extension.
Contents:
Click to expand the section you want to view:
Before backing up
Shut down the ePO Application Server service (Tomcat) when you perform the backup. If you can't, make sure that no one is performing the following actions during the backup:
Installing, uninstalling, or upgrading an extension
Updating the ePO database configuration
To back up the ePO server
Use the document below to back up the SQL database (normally named ePO_<ServerName>, where <ServerName> is your ePO server name):
IMPORTANT: In ePO 5.10 and later, threat event information has been split into its own database, so you must back up both databases. Carry out the backup process on both the main database (default name ePO_ePO_server_name) and the events database (default name ePO_ePO_server_name_Events).
You must also back up the following folder paths: NOTE: The default 64-bit installation paths are listed below. But, your installation might differ. For example, the default 32-bit installation path is C:\Program Files\McAfee\ePolicy Orchestrator.
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\extensions
The default path to ePO software extension information.
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\conf
The default path to needed files used by the ePO software extensions.
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\keystore
These keys are for ePO agent-server communication and the repositories.
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Software
Products that have been checked in to the Master Repository are located here.
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Keystore
The agent-server communication and Repository Keys that are unique to your installation are located here. Failing to restore this folder results in all client systems being unable to communicate with the server, and you have to redeploy the agent to all systems. Also, you must check in all deployable packages again.
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf
The following are located here:
The server configuration settings for Apache
SSL certificates needed to authorize the server to handle agent requests
Console certificates
NOTE: Failure to back up and restore these directory structures requires a reinstallation of ePO to create new ones. It might also require a clean database installation and redeployment of agents to all client systems.
If restoring ePO to the same system, uninstall ePO. Make sure that there is no ePolicy Orchestrator folder in the original installation path after the software is uninstalled.
NOTE: Renaming the existing ePO folder and leaving the old directory in place might interfere with the new installation. So, we recommend that you remove the old directory completely.
Reinstall ePO to the same version and update level as the server you are restoring.
NOTE: You can verify the ePO update level. Look at the Version field in the backed-up Server.ini file (C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\). Then cross-reference it with the details in KB51569 -Supported platforms for ePolicy Orchestrator.
Apply any additional updates, hotfixes, or POCs to ePO that were previously applied. If you previously installed Policy Auditor 6.2 for use with ePO, install the same version of Policy Auditor. This step includes any hotfix releases that were installed before.
IMPORTANT:
In an ePO 5.10 environment, that has had a Cumulative Update applied, make sure that you apply the same update version to the newly installed ePO server. If this action is not done, the ePO Application Server service is unable to start.
If you are restoring an ePO 5.10 Update 10 environment, log on to the ePO console and upgrade the following extensions:
McAfee Agent (MA): Upgrade to MA 5.7.2 or later..This action also removes the Product Improvement Program extension.
Endpoint Upgrade Assistant (EUA): Upgrade to EUA 2.9.0.17 or later.
Then apply the CU10 update.
Stop and disable all ePO services:
Click Start, Run, type services.msc, and click OK.
Right-click each of the following services and select Stop:
McAfee ePolicy Orchestrator Application Server
McAfee ePolicy Orchestrator Event Parser
McAfee ePolicy Orchestrator Server
Double-click each of the following services and change Startup type to Disabled:
McAfee ePolicy Orchestrator Application Server
McAfee ePolicy Orchestrator Event Parser
McAfee ePolicy Orchestrator Server
Restore the database. For help, see KB52126 - How to back up and restore the ePolicy Orchestrator database using SQL Server Management Studio. NOTE:Restore the database so that you do not require the ePO database configuration to be updated. For example, same name, host, and port. Otherwise, you must update the restored DB.PROPERTIES file in C:\Program Files\McAfee\ePolicy Orchestrator\Server\conf\orionwith the new information before you start the server.
IMPORTANT:In ePO 5.10 and later, threat event information has been split into its own database, so you must restore both databases. Carry out the restore process on both the main database and the events database.
Rename the following folders. For example, rename the extensions folder to extensions_old. Then replace them with the corresponding folders that were backed up earlier in step 2:
Start only the McAfee ePolicy Orchestrator Application Server service.
Access the core/config page of ePO and confirm the DB credentials if you are unable to access the ePO console. See KB69850 for detailed instructions on how to access the core/config page and update the DB credentials if needed.
IMPORTANT: If you are restoring an ePO 5.10 environment, select the option Change password, and confirm the password for the account used to access SQL, even though it has not changed.
Verify that the password is accepted by using the Test Connection option. Assuming the connection is successful, click Apply to save the password, and restart the ePO application server service. This step is needed to create a new password hash based on the new ePO server's unique key.
Attempt to log on to the ePO console. If you are unable to log on, review all steps performed in this article and make sure that they have been properly completed. If you can't resolve the console logon issue, contact Technical Support for further assistance before you continue.
If you are a registered user, type your User Id and Password, and then click Log In.
If you are not a registered user, click Register and complete the required fields. Your password and logon instructions will be emailed to you.
NOTE: You must successfully log on for the rest of the recovery steps to work.
Rename the SSL.CRTfolder (see path below) to SSL.CRT.OLDand manually create an empty folder namedSSL.CRT in the same path. If you do not, the setup fails to create a new certificate:
Where: ePO_server_name - Your ePO server NetBIOS name Console_HTTPS_port - Your ePO console port (default is 8443) Admin_username - Administrator (use the default ePO administrator console account) Password- The password to the ePO administrator console account Installdir\Apache2\conf\ssl.crt - Your installation path to the Apache folder (Make sure that you enclose this path in double quotes); Default installation path:
This command fails if you have enabled User Account Control (UAC) on this server. If the server is running Windows Server 2008 or later, disable this feature. You can find more information about UAC at: http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx.
This command is case sensitive. The ahsetup.log provides information about whether the command succeeded or failed. It also states whether it used the files located in the ssl.crt folder. NOTE: The ahsetup.log is located in ePO_install_directory\Apache2\conf\ssl.crt.
Start the following services:
McAfee ePolicy Orchestrator Event Parser
McAfee ePolicy Orchestrator Server
Look in the DB/logs/server.log, and make sure that the Agent Handler (Apache server) started correctly. It must state something similar to the following:
I #4108 NAIMSRV ePolicy Orchestrator server started.
If it does not, there is an error similar to the following:
E #4736 NAIMSRV Failed to get server key information