How to reconfigure the Threat Intelligence Exchange Server after ePolicy Orchestrator 5.9 or 5.10 certificate migration (SHA-1 to SHA-2)
Technical Articles ID:
KB88491
Last Modified: 2023-12-29 07:35:33 Etc/GMT
Environment
Threat Intelligence Exchange (TIE) Server 4.x, 3.x, 2.x
Summary
This article guides you through the process needed to reconfigure the TIE Server after you complete the certificate regeneration process in ePolicy Orchestrator (ePO) 5.9.
This certificate reconfiguration resolves errors such as the following:
- The TIE dashboards display the message This monitor can’t be displayed due to an unrecoverable error.
- The TIE Reputations page displays the message An unexpected error occurred.
- The DXL connectivity status of a TIE server system shows as Not connected.
Prerequisites
Before you begin the process described in this article, ensure the following:
- There's full connectivity in the DXL fabric:
- On the Data Exchange Layer Fabric page, click Refresh. All brokers must be listed in green.
- Click Menu, Server Settings, DXL Topology. Verify that the status of the hubs and bridges between DXL fabrics are connected, if any.
- Verify that the DXL Client for ePO Connection Status shows as Connected in Server Settings.
For troubleshooting DXL Broker upgrades or installation, see the DXL product documentation for your version.
- You've installed the TIE Server management extension package for your current TIE Server version.
The package is a .zip file called TIEServerMgmt*_Build_*_Package_*(ENU-LICENSED-RELEASE-Main).zip, where * corresponds to your TIE Server version.
If you need the extension package file again, download it from the Product Downloads site. After the download, check in the file to the Main Repository in ePO.
Reconfiguration Process
Perform the following steps on each ePO Server that manages the TIE Servers:
- Back up your TIE Server Policies:
- In the ePO console, select Menu, Policy Catalog, and select Trellix Threat Intelligence Exchange Server Management.
- Download the XML policies file. Click Export next to Product Policies.
- Back up your TIE Server settings:
- In the ePO console, select Menu, Server Settings, Threat Intelligence Exchange Server.
- Click Edit.
- Make a note of your VirusTotal Public/Private key and enabled file types.
- Remove the TIE Server management extension:
- In the ePO console, select Menu, Extensions, McAfee TIE Server.
- Click Remove.
- Click OK and confirm removal.
- Install the TIE Server management extension:
- In the ePO console, select Menu, Extensions.
- Click Install Extension.
- Choose the TIEServerMgmt .zip file that corresponds to your installed version of TIE Server.
- Click OK and complete the installation.
- Restore your TIE Server policies:
- In the ePO console, select Menu, Policy Catalog.
- Click Import.
- Choose the XML policies file that you generated previously.
- Click OK and confirm the import and override.
- Edit the TIE Server policies assignment as needed.
- Restore your TIE Server settings:
- In the ePO console, select Menu, Server Settings, Threat Intelligence Exchange Server.
- Click Edit.
- Enter your VirusTotal Public/Private key and enabled file types.
- Select Menu, Server Tasks, and run the following tasks:
- Manage DXL Broker
- Send DXL State Event
- Apply TIESERVER Tags to TIE Servers
- TIE Server Synchronize CA
- TIE Server Synchronize Topology
- After you make sure that the previous steps have been completed on each ePO Server, perform the following steps on each TIE Server appliance:
- Log on to each TIE Server appliance using SSH and run the following command:
su
You're prompted to type the root password.
- Back up and delete the pre-existing keystore folder from the appliance:
IMPORTANT: If you have an ATD certificate, it's not regenerated. You must back up the ATD certificate and reuse it. For more information, see KB87692 - How to configure certificate validation between Threat Intelligence Exchange and Advanced Threat Defense/Intelligent Sandbox Servers.
After you back up the keystore folder and ATD certificate, use the following command to delete the pre-existing keystore manually:
If you're using TIE 4.0.x version, rm -v /var/Trellix/tieserver/keystore/*
If you're using TIE 3.0.x version and earlier, rm -v /var/McAfee/tieserver/keystore/*
The path of the files that are removed from the keystore directory display.
- Run the following commands in sequence:
reconfig-ca
reconfig-cert
The execution is successful when the "INFO Finished reconfig-cert execution" message displays.
|
