Unable to upgrade/install Threat Intelligence Exchange 4.x in a multi-ePO environment
Last Modified: 2023-06-08 07:26:54 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Unable to upgrade/install Threat Intelligence Exchange 4.x in a multi-ePO environment
Technical Articles ID:
KB96447
Last Modified: 2023-06-08 07:26:54 Etc/GMT Environment
Threat Intelligence Exchange (TIE) Server 4.x
Summary
When you attempt to install or upgrade to TIE 4.x, it might fail to provision certificates on newly added devices.
Problem
We're investigating an issue that presents itself in multi-ePolicy Orchestrator (multi-ePO) environments with bridged Data Exchange Layer (DXL) fabrics connecting multiple ePO servers. In this state, customers might encounter issues with generating certificates for newly installed or upgraded TIE 4.x servers. This issue can present itself during the initial onboarding of servers, resulting in systems being stuck during the "Waiting for TIE server handshake" portion of the startup wizard. Customers with this issue might notice the following file is 0 bytes in size: The following error might also be present in java.security.KeyStoreException: Key protection algorithm not found: java.security.KeyStoreException: Certificate chain is not valid System Change
This issue appears to be limited to installations of TIE 4.x and multi-ePO environments where DXL has been used to bridge the different ePO installations together.
Cause
We're investigating the root cause of this issue.
Solution
We recommend that customers with the ePO and DXL configuration described above upgrade to TIE Server 4.x Hotfix 3 (4.0.0.573). NOTE: Customers who've attempted to add the servers on the prior builds and failed to ever stand up correctly will need to redeploy those servers on the newer 4.0.0.573 image to add them to the existing installation. Workaround
This issue seems to present itself when more than one TIE server CA is available in ePO. This occurs as a result of synchronizing CAs across DXL with another ePO server. You can temporarily remedy this issue by breaking the DXL bridge between the ePO servers and regenerating the TIE server CA on the ePO that's managing the devices you need to issue certificates to. This CA regeneration is covered in KB87743 - How to regenerate Threat Intelligence Exchange Server Certificates and Certificate Authority (CA). With the DXL bridge in a non-functional state, generating TIE server certificates should work as expected. Make sure that all TIE servers have pulled down new certificates before you restore the DXL bridge. Affected ProductsLanguages:This article is available in the following languages: |
|