Installation or upgrade to ePolicy Orchestrator fails when using SSL connection for SQL Server

Technical Articles ID: KB87731
Last Modified: 2022-03-21 20:44:30 Etc/GMT

Environment

McAfee ePolicy Orchestrator (ePO) 5.10.x, 5.9.x
McAfee Web Gateway (MWG) 7.x

Problem 1

A fresh install or upgrade of ePO that connects to SQL over an SSL connection fails.

An error similar to the following is recorded in core-install.log or core-upgrade.log:

BUILD FAILED
The following error occurred while executing this line:
java.sql.SQLException: Network error IOException: Error creating premaster secret.

The exact wording of the error message might differ depending on the type of certificate used.

Also, the following pop-up error might display:

Setup is unable to connect to the SQL Server "<IP of SQL server>" over a secure connection.

Problem 2

After an ePO upgrade, some registered servers that use SSL certificates are no longer able to connect. For example, if you have a registered LDAP server that uses an SSL connection, that connection might fail.

Cause

ePO ships with the updated RSA BSAFE libraries needed to address published security vulnerabilities. These updated libraries have increased security requirements and reject certain SSL connections for one of two reasons: The reasons are either because of the server certificate used by the SQL Server or other remote server, or the cipher suite chosen by the server during the SSL handshake:

Often the Windows operating system is not up to date with the latest service packs and hotfixes.
The server certificate has a public key size that is not considered secure by the RSA BSAFE libraries.

Solution 1

Manually reorder the cipher suites on the SQL Server with a Windows Group Policy. For detailed steps, see: https://msdn.microsoft.com/en-us/library/windows/desktop/bb870930(v=vs.85).aspx.

For the cipher suite list priority order, follow the order list found in the following Microsoft article in the "New default priority order for these versions of Windows" section:
https://support.microsoft.com/en-us/help/3161639.

Solution 2

Install or update the certificate used by the SQL Server or other registered server. For more information about how to use a secured connection to the SQL Server, see KB84628.

NOTE: Other registered server types might also be affected if they use SSL.

Example:
You have a registered LDAP server and you use the secure connection. The connection fails if the certificate provided by the LDAP server uses an RSA 1024-bit public key.
The solution in this scenario is to update the certificate on the LDAP server to not use a 1024-bit RSA public key.

Solution 3

ePO 5.10.0 and later
ePO has migrated away from the RSABSAFE library in favor of Bouncy Castle. This issue is far less likely to occur in the Bouncy Castle library. But it can occur if the cipher suite on the SQL Server is severely restricted.

The epo.java.security file, located in <ePOInstallDir>\Server\Conf\Orion, defines the list of ciphers that ePO can consume when acting as a client. In this scenario, ePO is the client and Microsoft SQL is the server.

Below is the list of ciphers present in the epo.java.security file in the base install package of ePO 5.10.0:

jtds.enabledCipherSuites="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA"

NOTE: An upgrade is successful as long as the cipher suite on your SQL Server contains a minimum of one of the above ciphers, regardless of the order.

Related Information

This issue might also affect the McAfee Web Gateway appliance and requires a certificate update. The Bypass ePO Requests ruleset contains the SSL Scanner default root.

If you encounter this issue, Technical Support recommends that you replace the RSA server key size and hash algorithm:

Verify the setting (Default CA/your own setting name) used in the event Enable SSL Client Context with CA in the rule Skip Subsequent Rules for ePO Requests.
Change the RSA server key size from 1024 bit to 2048 bit.
Change the Digest (hashing algorithm) from SHA-1 to SHA256.
Click Save Changes.

Affected Products

Languages:

This article is available in the following languages:

Knowledge Center

Installation or upgrade to ePolicy Orchestrator fails when using SSL connection for SQL Server

Environment

Problem 1

Problem 2

Cause

Solution 1

Solution 2

Solution 3

Related Information

Affected Products

Languages:

Title

Title

Knowledge Center

Installation or upgrade to ePolicy Orchestrator fails when using SSL connection for SQL Server

Environment

Problem 1

Problem 2

Cause

Solution 1

Solution 2

Solution 3

Related Information

Affected Products

Languages:

Choose your region

Title

Title