WARNING: Client raised fatal(2) internal_error(80) alert: Failed to read record
Technical Articles ID:
KB91304
Last Modified: 2023-07-27 11:04:20 Etc/GMT
Environment
ePolicy Orchestrator (ePO) 5.10.0
Problem
The installation fails when you try any of the following ePO 5.10 actions:
- Install
- Upgrade
- Restore an ePO 5.10 environment from a disaster recovery snapshot
The installation rolls back during the Running core component installer stage of the process.
The Core-install.log (clean install), Core-upgrade.log (upgrade), or Core-Restore.log (disaster recovery) records the following messages several times throughout the log:
org.bouncycastle.jsse.provider.ProvTlsClient notifyAlertRaised
[test-db] WARNING: Client raised fatal(2) internal_error(80) alert: Failed to read record
[test-db] java.io.IOException
Cause
ePO 5.10 can use one of three cipher suites to establish a TLS connection to the SQL Server:
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
An issue with the ePO installer means that it might not correctly present the TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 cipher suite.
The installation fails if the TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA cipher suites are disabled on the SQL Server. The installation fails even if TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 is enabled on the SQL Server.
Solution
Enable one of the following cipher suites on the SQL Server. Ideally, enable both of the following:
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Restart the SQL Server and apply the change. Then, install ePO again.
The cipher suites are needed for the day-to-day operation of ePO, not just for installation. Don't disable them after the installation is complete.
Workaround
1
Use the procedure in this section in the following scenarios:
- If TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 is enabled, but it's not possible to enable the following cipher suites on the SQL Server:
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- For any of the conditions listed below:
- Fresh installation of ePO 5.10
- Upgrade of a previous installation of ePO to ePO 5.10
- Restoring ePO 5.10 from a disaster recovery snapshot, where ePO 5.10 Update 7 or later had been applied
NOTE: If you restore ePO from a disaster recovery snapshot that had Update 6 or earlier applied, use the alternative "Workaround 2."
- Start the ePO 5.10 installation. Run setup.exe with the following case-sensitive switch:
Setup.exe PAUSEAFTERFILECOPY=1
- Continue with the installation. After the installer has copied the files to the install directory, it pauses and displays the following message:
File copying completed. Press OK to continue with installation.
IMPORTANT: Do not click OK at this point.
- Open the following file in a text editor:
<ePO_installation_folder>\Installer\Core\server\conf\orion\epo.java.security
- Locate the line that starts with the following:
jtds.enabledCipherSuites=
- Remove the quotation marks from the beginning and end of the list of cipher suites.
The completed line reads as follows (a single line with no spaces or line breaks):
jtds.enabledCipherSuites=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
NOTE: For the formatting of this article, line breaks have been included in the string above.
- Save the file.
- To continue the installation, click OK on the pause message.
The installation completes successfully.
Workaround
2
Use the procedure in this section in the following scenarios:
- If TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 is enabled, but it's not possible to enable the following cipher suites on the SQL Server:
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- You want to restore ePO from a disaster recovery snapshot that has ePO 5.10 Update 6 or earlier applied.
Procedure:
- Start the ePO 5.10 installation. Run setup.exe with the following case-sensitive switch:
Setup.exe PAUSEAFTERFILECOPY=1 DEBUGOUTPUT=1
- Continue with the installation. After the installer has copied the files to the install directory, it pauses and displays the following message:
File copying completed. Press OK to continue with installation.
IMPORTANT: Do not click OK at this point.
- Open the file epo.java.security in a text editor (notepad.exe):
<ePO_installation_folder>\Installer\Core\server\conf\orion\epo.java.security
- Locate the line that starts with the following:
jtds.enabledCipherSuites=
- Remove the quotation marks from the beginning and end of the list of cipher suites.
The completed line reads as follows (a single line with no spaces or line breaks):
jtds.enabledCipherSuites=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
NOTE: For the formatting of this article, line breaks have been included in the above string.
- Save the file.
- To continue the installation, click OK on the pause message.
- You see the following message, click OK to continue.
About to run MFS restore script
- When you see the following message, do not click OK:
About to start Tomcat (MCAFEETOMCATSRV5100) service
- Open the file epo.java.security in a text editor:
<ePO_installation_folder>\server\conf\orion\epo.java.security
- As before, locate the line that starts with jtds.enabledCipherSuites=. Remove the quotation marks from the beginning, and end of the list of cipher suites.
- Save the file.
- When you see the following message, click OK:
About to start Tomcat (MCAFEETOMCATSRV5100) service
- You might see the following message that contains the string. When you do, wait for two minutes and then click OK.
NOTE: You might see the same message again; if so, wait for another two minutes and then click OK.
CustomAction: MerMod_StartCurrentServices
The installation completes successfully.
|