Configurations for ePolicy Orchestrator certificate validation issue for secure database connection

Technical Articles ID: KB84628
Last Modified: 2023-07-25 10:04:47 Etc/GMT

Environment

ePolicy Orchestrator (ePO) 5.x

Summary

ePO doesn't validate the certificate used for a secure database connection, which can lead to a Man-in-the-Middle type of attack.

Enforcing Certificate Validation
After you upgrade to ePO 5.3.0 or later, there are other steps that an ePO administrator must configure through the user interface. These steps are needed to enforce the certificate validation fixes included in both versions.

Recommended Actions

ePO 5.9.0 and later users must apply the steps in Configurations (A) and (B) in the "Solution" section below.
ePO 5.0.x and 5.1.x users must upgrade to ePO 5.1.2 and apply the steps in Configurations (A), (B), and (C) in the "Solution" section below.

NOTE: ePO 5.0.x and 5.1.x are End of Life (EOL).

Prerequisites
Do one of the following before you perform the procedures in this article:

Option 1: If you don't have a Certificate Authority (CA) certificate and machine-issued CA signed certificate:
1. Set up a Root CA using OpenSSL, certtool.exe, XCA, or a similar tool.
2. Create a Root CA Certificate, create an Intermediate CA, and issue a computer certificate for the SQL Server using the Intermediate CA certificate.
3. Install the system certificate issued by the Intermediate CA certificate on the SQL Server and enable Force Encryption on the SQL Server.
Option 2: If you already have a CA certificate and machine-issued CA-signed certificate:
1. Install the machine-issued CA certificate to the SQL Server.
2. Enable Force Encryption.

NOTES:

Make sure that you've generated a Root CA to perform the steps in this article. To obtain the Root CA, contact your third-party CA or Enterprise CA.
The computer certificate must be issued to a fully qualified domain name that's resolvable on the ePO server. Don't rely on Subject Alternative Names because they don't work for this purpose.

Solution

Click to expand the section you want to view:

Configurations - Enable Enforcement of Certificate Validation

(A) Enforce certificate validation from the ePO server to the database:

Log on to the ePO console.
Go to the Configure Database Settings page: https://<ePO_server_name>:port/core/config
In the "SSL communication with database server" section, select Always use SSL and require a CA-signed server certificate.

NOTE: The selectable text displayed varies based on the version of ePO installed.
Verify the certificate validation by clicking Test Connection. The connection response message displays as "Test failed: Network error IOException: Certificate not verified."

NOTE: Future ePO versions might display this error as "Test failed: Network error IOException: bad_certificate(42)."
Click Apply.
For the connection to be successful, the default Java trust store must trust the certificate configured in the SQL Server. To trust a certificate, that certificate needs to be in the trust store. Import the SQL Server certificate into the Java trust store using the following commands:
- ePO 5.10:
  
  CD c:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\lib\security
  
  "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\bin\keytool.exe" -import -alias SOME_UNIQUE_NAME -file CA_CERTIFICATE -keystore cacerts -storetype jks
  
  'SOME_UNIQUE_NAME' is the alias name used to identify the imported certificate in the keystore. CA_CERTIFICATE is the local path to the CA certificate that's used to sign the certificate configured on the SQL Server.
  
  NOTE: The keystore password is changeit.
  
  Example: "c:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\bin\keytool.exe" -import -alias MySQLServerCertificate -file sqlserver.cer -keystore cacerts
  
  NOTE: The example command above assumes that sqlserver.cer is placed in the current working directory. For example, c:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\lib\security.
- ePO 5.3.3 and later:
  
  CD C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\keystore
  
  "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\bin\keytool.exe" -import -alias SOME_UNIQUE_NAME -file CA_CERTIFICATE -keystore cacerts.p12 -storetype pkcs12
- ePO 5.3.2 and earlier:
  
  CD C:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\lib\security
  
  "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\bin\keytool.exe" -import -alias SOME_UNIQUE_NAME -file CA_CERTIFICATE -keystore cacerts
Import the CA certificate into the Windows certificate store, Trusted Root Certificate Authority. This step is needed to enforce certificate validation between the local Agent Handler and the SQL database.
Click Apply.
Restart the ePO services:
1. Click Start, Run, type services.msc, and click OK.
2. Right-click the following services and select Restart:
  
  McAfee ePolicy Orchestrator x.x.x Application Server
  McAfee ePolicy Orchestrator x.x.x Server
  McAfee ePolicy Orchestrator x.x.x Event Parser
Log on to the ePO console, navigate to https://<ePO_server_name>:port/core/config, and test the database connection.

The database test is successful.

(B) Enforce certificate validation from the Remote Agent Handler to the database:

If the Remote Agent Handler isn't already installed:
1. Import the CA certificate into the Windows certificate store, Trusted Root Certificate Authority of the Agent Handler system.
2. Install the Agent Handler by directing it to the ePO server. The Agent Handler services are installed with the certificate validation option set. The Agent Handler uses the CA certificate in the Windows certificate store to connect to the database and validate the SQL Server certificate.
If the Remote Agent Handler is already installed:
1. Import the CA certificate into the Windows certificate store, Trusted Root Certificate Authority of the Remote Agent Handler system.
2. Edit C:\Program Files (x86)\McAfee\Agent Handler\DB\db.properties and set the db.param.ssl=authenticate.
3. Restart all Agent Handler services.

(C) Enforce certificate validation from the ePO server to the remote SQL Server for rollup reporting communication:

Import the CA certificate used to sign the certificate issued to the rollup ePO SQL database into the default Java trust store. To import, navigate to the following directory and use the keytool to import the certificate and trust the certificate:
- ePO 5.10:
  
  CD C:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\lib\security
  
  "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\bin\keytool.exe" -import -alias SOME_UNIQUE_NAME -file CA_CERTIFICATE -keystore cacerts -storetype jks
  
  'SOME_UNIQUE_NAME' is the alias name used to identify the imported certificate in the keystore. 'CA_CERTIFICATE' is the local path to the CA certificate that is used to sign the certificate configured on the SQL Server.
  
  NOTE: The keystore password is changeit.
- ePO 5.3.3 and later:
  
  CD C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\keystore
  
  "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\bin\keytool.exe" -import -alias SOME_UNIQUE_NAME -file CA_CERTIFICATE -keystore cacerts.p12 -storetype pkcs12
- ePO 5.3.2 and earlier:
  CD C:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\lib\security
  
  "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\bin\keytool.exe" -import -alias SOME_UNIQUE_NAME -file CA_CERTIFICATE -keystore cacerts
Open the Registered Server UI and configure the Registered Server of server type ePO:
1. Click Menu, Configuration, Registered Servers.
2. Select a server type of ePO.
3. Configure all details of the remote ePO database, and for SSL communication with the database server. Select Always use SSL and require a CA-signed server certificate.
4. Click Save.
Restart the ePO services:
1. Click Start, Run, type services.msc, and click OK.
2. Right-click the following services and select Restart:
  
  McAfee ePolicy Orchestrator x.x.x Application Server
  McAfee ePolicy Orchestrator x.x.x Server
  McAfee ePolicy Orchestrator x.x.x Event Parser
3. After a successful restart of all ePO services, log on to the ePO console, edit the above configured ePO Registered Server, and test the connection.
  
  The database connection is successful.

Supplemental - If you've applied an upgrade, update, or hotfix that incremented the version of Java that ePO uses to an existing encrypted SQL connection for ePO.

IMPORTANT: This solution is required only if you have already configured an encrypted SQL connection for ePO. But then applied an upgrade, update, or hotfix which incremented the version of Java that ePO uses.

(A) Import the SQL Server certificate into the Java trust store:

Import the SQL Server certificate into the Java trust store using the following commands:
- ePO 5.3.3 and later:
  
  CD C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\keystore
  
  "c:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\bin\keytool.exe" -import -alias SOME_UNIQUE_NAME -file CA_CERTIFICATE -keystore cacerts.p12 -storetype pkcs12
  
  'SOME_UNIQUE_NAME' is the alias name used to identify the imported certificate in the keystore. 'CA_CERTIFICATE' is the local path to the CA certificate that is used to sign the certificate configured on the SQL Server.
  
  Example: "c:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\bin\keytool.exe" -import -alias MySQLServerCertificate -file sqlserver.cer -keystore cacerts
  
  NOTES:
  - The keystore password is changeit.
  - The example command above assumes that sqlserver.cer is placed in the current working directory. For example, c:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\lib\security.
- ePO 5.3.2 and earlier:
  
  CD c:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\lib\security
  
  "c:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\bin\keytool.exe" -import -alias SOME_UNIQUE_NAME -file CA_CERTIFICATE -keystore cacerts
Import the CA certificate into the Windows certificate store, Trusted Root Certificate Authority.

NOTE: This step is required to enforce certificate validation between the local Agent Handler and the SQL database.
Click Apply.
Restart the ePO services:
1. Click Start, Run, type services.msc, and click OK.
2. Right-click the following services and select Restart:
  
  McAfee ePolicy Orchestrator x.x.x Application Server
  McAfee ePolicy Orchestrator x.x.x Server
  McAfee ePolicy Orchestrator x.x.x Event Parser
Log on to the ePO console, navigate to https://<ePO_server_name>:port/core/config, and test the database connection.

The database test is successful.

(B) Import the CA certificates into the Java trust store on rollup server - only required if rollup reporting is configured:

Import the CA certificate used to sign the certificate issued to the rollup ePO SQL database into the default Java trust store. To complete this step, navigate to the following directory and use the keytool to import the certificate and trust the certificate:
- ePO 5.3.3 and later:
  
  CD C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\keystore
  
  "c:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\bin\keytool.exe" -import -alias SOME_UNIQUE_NAME -file CA_CERTIFICATE -keystore cacerts.p12 -storetype pkcs12
  
  'SOME_UNIQUE_NAME' is the alias name used to identify the imported certificate in the keystore. CA_CERTIFICATE is the local path to the CA certificate that is used to sign the certificate configured on the SQL Server.
  
  NOTE: The keystore password is changeit.
- ePO 5.3.2 and earlier:
  
  CD c:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\lib\security
  
  "c:\Program Files (x86)\McAfee\ePolicy Orchestrator\JRE\bin\keytool.exe" -import -alias SOME_UNIQUE_NAME -file CA_CERTIFICATE -keystore cacerts
Restart the ePO services:
1. Click Start, Run, type services.msc, and click OK.
2. Right-click the following services and select Restart:
  
  McAfee ePolicy Orchestrator x.x.x Application Server
  McAfee ePolicy Orchestrator x.x.x Server
  McAfee ePolicy Orchestrator x.x.x Event Parser
3. After a successful restart of all ePO services, log on to the ePO console, edit the above configured ePO Registered Server, and test the connection.
  
  The database connection is successful.

Related Information

For details about how to create a CA, an Intermediate CA, and a machine-issued certificate, see the X - Certificate and Key management.

For details about how to add certificates to the Trusted Root Certification Authorities store for a local computer, see this Microsoft Support document.

NOTE: This article previously referenced a Security Bulletin (SB10120), which has been unpublished.

Affected Products

Languages:

This article is available in the following languages:

Knowledge Center

Configurations for ePolicy Orchestrator certificate validation issue for secure database connection

Environment

Summary

Solution

Related Information

Affected Products

Languages:

Title

Title

Knowledge Center

Configurations for ePolicy Orchestrator certificate validation issue for secure database connection

Environment

Summary

Solution

Related Information

Affected Products

Languages:

Choose your region

Title

Title