Unable to upgrade/install Threat Intelligence Exchange 4.x in a multi-ePO environment
Technical Articles ID:
KB96447
Last Modified: 2023-04-11 14:04:50 Etc/GMT
Last Modified: 2023-04-11 14:04:50 Etc/GMT
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
Unable to upgrade/install Threat Intelligence Exchange 4.x in a multi-ePO environment
Technical Articles ID:
KB96447
Last Modified: 2023-04-11 14:04:50 Etc/GMT Environment
Threat Intelligence Exchange (TIE) Server 4.x
Summary
When you attempt to install or upgrade to TIE 4.x, it might fail to provision certificates on newly added devices.
Problem
We are investigating an issue that presents itself in multi-ePO environments with bridged DXL fabrics connecting multiple ePO servers. In this state, customers might encounter issues with generating certificates for newly installed or upgraded TIE 4.x servers. This issue can present itself during initial onboarding of servers, which results in systems being stuck during the "Waiting for TIE server handshake" portion of the startup wizard. Customers with this issue might notice the following file is 0 bytes in size: The following error might also be present in /var/Trellix/tieserver/logs/tieserver.log: java.security.KeyStoreException: Key protection algorithm not found: java.security.KeyStoreException: Certificate chain is not valid System Change
This issue appears to be limited to installations of TIE 4.x and multi-ePO environments where DXL has been used to bridge the different ePO installations together.
Cause
We are investigating the root cause of this issue.
Solution
We recommend that customers with the ePO and DXL configuration described above not migrate to TIE 4.x until this issue is resolved.
Workaround
This issue seems to present itself when more than one TIE server CA is available in ePO. This occurs as a result of synchronizing CAs across DXL with another ePO server. You can temporarily remedy this issue by breaking the DXL bridge between the ePO servers and regenerating the TIE server CA on the ePO that is managing the devices you need to issue certificates to. This CA regeneration is covered in KB87743 - How to regenerate Threat Intelligence Exchange Server Certificates and Certificate Authority (CA). With the DXL bridge in a non-functional state, generating TIE server certificates should work as expected. Ensure all TIE servers have pulled down new certificates before you restore the DXL bridge. Affected Products |
|