Installation or upgrade to ePolicy Orchestrator fails when using SSL connection for SQL Server

Technical Articles ID: KB87731
Last Modified: 2023-06-28 04:34:47 Etc/GMT

Environment

ePolicy Orchestrator (ePO) 5.10.x, 5.9.x
Skyhigh Web Gateway (SWG) 7.x

Problem 1

A fresh install or upgrade of ePO that connects to SQL over an SSL connection fails.

An error similar to the following is recorded in core-install.log or core-upgrade.log:

BUILD FAILED
The following error occurred while executing this line:
java.sql.SQLException: Network error IOException: Error creating premaster secret.

The exact wording of the error message might differ depending on the type of certificate used.

Also, the following pop-up error might display:

Setup is unable to connect to the SQL Server "<IP of SQL server>" over a secure connection.

Problem 2

After an ePO upgrade, some registered servers that use SSL certificates are no longer able to connect. For example, if you have a registered LDAP server that uses an SSL connection, that connection might fail.

Cause

ePO ships with the updated RSA BSAFE libraries needed to address published security vulnerabilities. These updated libraries have increased security requirements and reject certain SSL connections for one of two reasons. The reasons are either because of the server certificate used by the SQL Server or other remote server, or the cipher suite chosen by the server during the SSL handshake:

Often, the Windows operating system is not up to date with the latest service packs and hotfixes.
The server certificate has a public key size that's not considered secure by the RSA BSAFE libraries.

Solution 1

Manually reorder the cipher suites on the SQL Server with a Windows Group Policy. For detailed steps, see this Microsoft document.

For the cipher suite list priority order, follow the order list found in the following Microsoft article in the New default priority order for these versions of Windows section.

Solution 2

Install or update the certificate used by the SQL Server or other registered server. For more information about how to use a secured connection to the SQL Server, see KB84628 - Configurations for ePolicy Orchestrator certificate validation issue for secure database connection.

NOTE: Other registered server types might also be affected if they use SSL.

Example:
You have a registered LDAP server and you use the secure connection. The connection fails if the certificate provided by the LDAP server uses an RSA 1024-bit public key.
The solution in this scenario is to update the certificate on the LDAP server to not use a 1024-bit RSA public key.

Solution 3

ePO 5.10.0 and later
ePO has migrated away from the RSABSAFE library in favor of Bouncy Castle. This issue is far less likely to occur in the Bouncy Castle library. But, it can occur if the cipher suite on the SQL Server is severely restricted.

The epo.java.security file, located in <ePOInstallDir>\Server\Conf\Orion, defines the list of ciphers that ePO can consume when acting as a client. In this scenario, ePO is the client and Microsoft SQL is the server.

Below is the list of ciphers present in the epo.java.security file in the base install package of ePO 5.10.0:

jtds.enabledCipherSuites="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA"

NOTE: An upgrade is successful as long as the cipher suite on your SQL Server contains a minimum of one of the above ciphers, regardless of the order.

Related Information

This issue might also affect the SWG appliance and requires a certificate update. The Bypass ePO Requests ruleset contains the SSL Scanner default root.

If you encounter this issue, Technical Support recommends that you replace the RSA server key size and hash algorithm:

Verify the setting (Default C or your own setting name) used in the event Enable SSL Client Context with CA in the rule Skip Subsequent Rules for ePO Requests.
Change the RSA server key size from 1024 bit to 2048 bit.
Change the Digest (hashing algorithm) from SHA-1 to SHA256.
Click Save Changes.

Affected Products

Languages:

This article is available in the following languages:

Knowledge Center

Installation or upgrade to ePolicy Orchestrator fails when using SSL connection for SQL Server

Environment

Problem 1

Problem 2

Cause

Solution 1

Solution 2

Solution 3

Related Information

Affected Products

Languages:

Title

Title

Knowledge Center

Installation or upgrade to ePolicy Orchestrator fails when using SSL connection for SQL Server

Environment

Problem 1

Problem 2

Cause

Solution 1

Solution 2

Solution 3

Related Information

Affected Products

Languages:

Choose your region

Title

Title