To collect data for Agent Handler to Application server TLS issues, click to expand the option you want to view:
Data collection for Agent Handler to Application server TLS issues – SSL.CRT certificates aren’t created
This section covers the issue where there’s no certificates generated, and any attempts to regenerate the certificates fail.
ePO server actions:
Collect a Wireshark loopback trace:
Set up Wireshark for loopback logging. For details, see KB91433 - How to use Wireshark to capture local loopback traffic for analysis .
Start Wireshark , and select Npcap loopback adapter .
Try to regenerate the Agent Handler certificates. For details, see KB90760 - How to regenerate the certificates used by the ePO server service .
Disable logging, and save the Wireshark trace.
Export the SChannel and cipher suite settings from registry using a command prompt:
Open a command prompt as an administrator:
Press the Windows key + R.
In the search field, type cmd , and then press Ctrl+Shift+Enter.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue .
Type the following commands:
reg export HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL c:\rgc\Schannel.txt
reg export HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL c:\rgc\SSL.txt
Close the command window.
NOTE: The export file path is only an example.
Enable nmap logging. For details, see KB91115 - How to use the 'nmap' tool to determine which protocols and cipher suites are in use in an ePO environment .
Obtain nmap scans for the following ports:
Application server service console port . (Default setting 8443)
Application server service client auth port . (Default setting 8444)
ePO Server service port . (Default setting 443)
Gather the results using nmap commands via a text file for the above ports.
Example:
nmap -sV --script ssl-enum-ciphers -p 8443 <ePO_HOSTNAME_OR_IP>
IMPORTANT: Make sure that you disable all logging after collection is completed.
If you are a registered user, type your User ID and Password, and then click Log In .
If you are not a registered user, click Register and complete the fields to have your password and instructions emailed to you.
Data collection for Agent Handler (AH) failed to connect Application Server TLS issues, where the AH certificates are generated in the SSL.CRT folder
This section covers the issue where the AH certificates are available, but the Apache fails to contact the Application server service [Tomcat].
ePO server actions:
Collect a Wireshark loopback trace:
Stop the ePO server services.
Press the Windows key + R.
Type services.msc in the field and press Enter.
Right-click each of the following ePO services and select Stop :
McAfee ePolicy Orchestrator #.#.# Application Server
McAfee ePolicy Orchestrator #.#.# Event Parser
McAfee ePolicy Orchestrator #.#.# Server
Leave the services window open.
Set up Wireshark for loopback logging. For details, see KB91433 - How to use Wireshark to capture local loopback traffic for analysis .
Start Wireshark running, and select the Npcap loopback adapter .
Start the ePO server services.
Monitor the server log, and wait until you’ve seen a few errors recorded.
Stop and save the Wireshark trace.
Export the SChannel and cipher suite settings from registry via a command prompt:
Open a command prompt as an administrator:
Press the Windows key + R.
In the search field type cmd , and press Ctrl+Shift+Enter.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue .
Type the following commands:
reg export HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL c:\rgc\Schannel.txt
reg export HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL c:\rgc\SSL.txt
Close the command window.
NOTE: The export file path is only an example.
Enable nmap logging. For details, see KB91115 - How to use the 'nmap' tool to determine which protocols and cipher suites are in use in an ePO environment .
Obtain nmap scans for the following ports:
Application server service console port . Default setting: 8443.
Application server service client auth port. Default setting: 8444.
ePO Server service port . Default setting: 443.
Gather the results of the nmap commands via a text file for the ports stated above.
Example:
nmap -sV --script ssl-enum-ciphers -p 8443 <ePO_HOSTNAME_OR_IP>
IMPORTANT: Make sure that you disable all logging after collection is completed.
If you are a registered user, type your User ID and Password, and then click Log In .
If you are not a registered user, click Register and complete the fields to have your password and instructions emailed to you.