Migrating Mcafee EPO Server

 

Environment

McAfee ePolicy Orchestrator 4.6
McAfee ePolicy Orchestrator 4.5

For details of all supported operating systems, see KB51109.

Summary

How do I migrate ePO 4.5 or ePO 4.6 from a 32-bit system to a 64-bit system?

Solution

IMPORTANT:

• This procedure is intended for use by network and ePolicy Orchestrator (ePO) administrators only. McAfee does not assume responsibility for any damage incurred because they are intended as guidelines for disaster recovery. All liability for use of the following information remains with the user.
• The procedure is for use with ePO 4.5 and ePO 4.6 servers only.
• This procedure will not work if you rename the ePO server.

NOTES:

• The Agent uses either the last known IP address, DNS name, or NetBIOS name of the ePO server. If you change any one of these, ensure that the Agents have a way to locate the server. The easiest way to do this would be to retain the existing DNS record and change it to point to the new IP address of the ePO server. After the Agent is able to successfully connect to the ePO server, it downloads an updated SiteList.xml with the current information.
• The procedure can also be used by customers who want to migrate the ePO 4.5 or ePO 4.6 server to another system.

Before backing upStop the ePO 4.5 or 4.6 services:

1. Click Start, Run, type services.msc and click OK.
2. Right-click each of the following services and select Stop:
   
   McAfee ePolicy Orchestrator 4.x.0 Application Server
   McAfee ePolicy Orchestrator 4.x.0 Event Parser
   McAfee ePolicy Orchestrator 4.x.0 Server
   
   - Where 4.x.0 is the applicable version of ePO that you are running in the environment. (Example: McAfee ePolicy Orchestrator 4.5.0 Application Server)

Backing up the databaseUse one of the following methods to back up the SQL database (normally named ePO4_<ServerName>, where the <ServerName> is your ePO 4.5 server name):

See either of the following KnowledgeBase articles:

• KB59562 - How to back up the ePO database using OSQL commands
• KB52126 - How to back up and restore the ePO database using Enterprise Manager/ Management Studio

Backing up the file systemYou must back up the following folder structures to a location that will be accessible from the new 64-bit system. For example, a network share. The default installation path is used, and your installation might differ. Ensure that all files and subfolders are backed up.

C:\Program Files\McAfee\ePolicy Orchestrator\SERVER
All installed extensions and configuration information for the ePO Application Server are located here.

C:\Program Files\McAfee\ePolicy Orchestrator\DB\SOFTWARE
All products that have been checked into the Master Repository are located here.

C:\Program Files\McAfee\ePolicy Orchestrator\DB\KEYSTORE
The Agent, Server, and Repository Keys that are unique to your installation are located here.

C:\Program Files\McAfee\ePolicy Orchestrator\APACHE2\CONF
The server configuration settings for Apache, the SSL certificates needed to authorize the server to handle agent requests, and console certificates are located here.

NOTE: Failure to back up all of these directory structures will make it impossible to move your ePO installation to the new 64-bit system and will require a clean start, including the redeployment of agents to all client computers.

Installation on 64-bit system

1. Because the new 64-bit system will have the same name as the existing 32-bit system and you will be using the same SQL server for the new database, delete or rename the existing ePO database on the SQL server.
2. Enable 8.3 naming convention so ePO can be installed:
   
   
   1. Click Start, Run, type regedit and click OK.
   2. Navigate to:
      
      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]
       
   3. Change the NtfsDisable8dot3NameCreation value to 0.
   4. Restart the server.
       
3. Install ePO 4.5 or ePO 4.6 on the 64-bit computer. Ensure that you install the same patch level as the existing ePO installation.
   
   NOTE: You can verify the ePO 4.5 or ePO 4.6 patch level by looking at the Version field in the backed up Server.ini file (C:\Program Files\McAfee\ePolicy Orchestrator\DB\) and cross referencing it with article KB59938 - Version information for the ePolicy Orchestrator server. During the installation, ensure that you specify the same server ports as the current ePO installation.
    
4. If your previous installation included Policy Auditor 5.x or MNAC 3.x, install the same version of Policy Auditor or MNAC (including any hotfixes).
5. After installation is complete, stop and disable all ePO 4.5.0 / ePO 4.6.0 services:
   
   
   1. Click Start, Run, type services.msc and click OK.
   2. Right-click each of the following services and select Stop:
      
      McAfee ePolicy Orchestrator 4.x.0 Application Server
      McAfee ePolicy Orchestrator 4.x.0 Event Parser
      McAfee ePolicy Orchestrator 4.x.0 Server
      
      - Where 4.x.0 is the applicable version of ePO that you are running in the environment. (Example: McAfee ePolicy Orchestrator 4.5.0 Application Server)
       
   3. Double-click each of these services and change the Startup type to Disabled.
       
6. Restore the database.
   NOTE: If you are restoring the database to a different SQL server, ensure that the account being used to access SQL in the existing ePO installation also exists and has the same rights on the new SQL server. (For example, if you are using the sa account to access SQL for the existing installation, ensure that the sa account is enabled and has the same password in the new installation.)
   
   You have to update the restored DB.PROPERTIES file in C:\Program Files (x86)\McAfee\ePolicy Orchestrator\server\conf\Orion with the new information before starting the server. This will be covered later.
    
7. Delete the following folders, replacing them with the corresponding folders that were backed up earlier:
   
   C:\Program Files (x86)\McAfee\ePolicy Orchestrator\SERVER\
   C:\Program Files (x86)\McAfee\ePolicy Orchestrator\APACHE2\CONF
   C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\SOFTWARE\
   C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\KEYSTORE\
    
8. Navigate to C:\Program Files (x86)\McAfee\ePolicy Orchestrator\SERVER\conf\catalina\localhost and edit all the XML files in a text editor to reflect the 64-bit path where they are now located:
   C:\Program Files (x86)\McAfee\ePolicy Orchestrator\SERVER\conf\catalina\localhost 
   For example, change the contents of webapp.xml as follows:
   
   From:
   <Context docBase="C:/Program Files/McAfee/ePolicy Orchestrator/Server/extensions/installed/rs/2.0.1/webapp"
   privileged="true" antiResourceLocking="false" antiJARLocking="false"></Context>
   
   To:<Context docBase="C:/Program Files (x86)/McAfee/ePolicy Orchestrator/Server/extensions/installed/rs/2.0.1/webapp"
   privileged="true" antiResourceLocking="false" antiJARLocking="false"></Context>
   
   NOTE: If there is a file called deployer.xml present, do not edit it. This is in a different format to the other XML files.
   
   You can do this fairly easily by opening all files but deployer.xml in a multi-tab text editor like notepad++ and doing a replace in all files “Files/” with “Files (x86)/”. Alternatively, you can use the SQL Server Management Studio Replace in Files feature (Edit, Find and Replace, Replace in Files) to achieve similar results. For more details on how to use this feature, refer to SQL Server Books Online.
     
9. Determine the 8.3 notation form of the Program Files (x86) folder:
   
   
   1. Click Start, Run, type cmd and click OK.
   2. To change to the root, type the following command and press ENTER.
      
      CD\
       
   3. To list the directory structure, type the following command and press ENTER.
      
      dir /x
      
      Choose the PROGRA~ that refers to the Program Files (x86) folder. The most common form is PROGRA~2.
       
10. Open each of the following .conf files in a text editor (Notepad) and do the following:
    
    C:\Program Files (x86)\McAfee\ePolicy Orchestrator\APACHE2\conf\httpd.confC:\Program Files (x86)\McAfee\ePolicy Orchestrator\APACHE2\conf\ssl.conf 
    
    1. Locate all lines with the old 32-bit path, replacing all of these to reflect the 64-bit path that was determined in Step 8.
       
       For example, change the following:
       
       From: ServerRoot “C:/PROGRA~1/McAfee/EPOLIC~1/”
       
       To:
       ServerRoot “C:/PROGRA~2/McAfee/EPOLIC~1/”
        
    2. Click Edit, Replace.
    3. Enter the "old path" (32-bit) in the Find what field.
    4. Enter the "new path" (64-bit) in the Replace with field.
    5. Click Replace All.
       NOTE: There will be multiple places in this file where this path will be modified.
        
    6. Save the changes.
       
        
11. If MNAC 3.x is installed:
    
    
    1. Click Start, Run, type explorer and click OK.
    2. Navigate to: C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\Extensions\Installed\NAC\x.x.x.xxx\conf\nacserver.properties. 
    3. Modify the path for servlet.cert.keyStoreLocation as follows:
       
       From:  C:/PROGRA~1/McAfee/EPOLIC~1/server/extensions/installed/NAC/3.2.1.148/keystore/nacsub.keystore
       To: C:/PROGRA~2/McAfee/EPOLIC~1/server/extensions/installed/NAC/3.2.1.148/keystore/nacsub.keystore
          
12. Edit C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\bin\setenv.bat and change the paths on the lines starting with:
    
    set JAVA_OPTS=
    set JRE_HOME=
     
13. Edit C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\bin\setenv.sh (if present) and change the paths on the lines starting with:
    
    export CATALINA_HOME=
    export JAVA_OPTS=
    export JRE_HOME=
     
14. Edit C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\conf\epo\epo.properties and change the paths on the lines starting with:
    
    epo.install.dir
    epo.db.dir
     
15. Edit C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\conf\orion\log-config.xml and change the paths on the lines starting with < param name="File".
    
    NOTE: There are two places where this line exists – under the “Standard log file” and “Rolling log file” sections.
     
16. Edit C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\conf\orion\orion.properties and change the paths on the lines starting with:
    
    extension.install.dir
    extension.tmp.dir
     
17. Edit C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Installer\ePO\install.properties and change the paths on the lines starting with:
    
    apache.install.dir
    apache2.install.dir
    epo.install.dir
    epo.db.dir
    epo.db.dir2
    catalina.home
     
18. Edit C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Installer\Core\install.properties and change the paths on the lines starting with:
    
    orion.home
    orion.jre.home
     
19. If you restored the database to a different SQL server, edit C:\Program Files (x86)\McAfee\ePolicy Orchestrator\server\conf\Orion\db.properties and update the following entries with the correct information:
    
    db.database.name
    db.instance.name
    db.port
    db.user.name
    db.server.name
     
20. Enable all ePO 4.5.0 / ePO 4.6.0 services:
    
    
    1. Click Start, Run, type services.msc and click OK.
    2. Double-click each of the following services and change Startup type to Automatic:
       
       McAfee ePolicy Orchestrator 4.x.0 Application Server
       McAfee ePolicy Orchestrator 4.x.0 Event Parser
       McAfee ePolicy Orchestrator 4.x.0 Server
       
       - Where 4.x.0 is the applicable version of ePO that you are running in the environment. (Example: McAfee ePolicy Orchestrator 4.5.0 Application Server.)
        
21. Start the McAfee ePolicy Orchestrator 4.5.0 / 4.6.0  Application Server service.
    
    NOTE: This has to be started for the following process to work.
     
    1. Click Start, Run, type cmd and click OK.
    2. Change directories to your ePO installation Path (this would now be: C:\Program Files (x86)\McAfee\ePolicy Orchestrator\).
    3. In the ePO Directory, run the following command:
       
       IMPORTANT: This command will fail if User Account Control (UAC) is enabled on this server. If this is a Windows Server 2008 or later, disable this feature. You can find more information about UAC at:
       http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx.
       
       Rundll32.exe ahsetup.dll RunDllGenCerts <eposervername> <console HTTPS port> <admin username> <password> <"installdir\Apache2\conf\ssl.crt">
       
       where:
       <eposervername> is your ePO server's NetBios Name
       <console HTTPS port> is your ePO Console Port (default is 8443)
       <admin username> is admin (use the default ePO admin account)
       <password> is the password to the ePO Admin console account
       <installdir\Apache2\conf\ssl.crt> is your installation path to the Apache folder (this would now be: C:\Program Files (x86)\McAfee\ePolicy Orchestrator\APACHE2\CONF\SSL.CRT)
       
       Example:
       Rundll32.exe ahsetup.dll RunDllGenCerts eposervername 8443 administrator password "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\APACHE2\CONF\SSL.CRT"
       NOTE: The RunDllGenCerts switch in this command is case-sensitive. The ahsetup.log (found in the <installdir\Apache2\conf\ssl.crt>) provides information about whether the command succeeded or failed. It will state if it used the files located in the ssl.crt folder.
        
22. Start the following services:
    
    McAfee ePolicy Orchestrator 4.x.0 Event Parser
    McAfee ePolicy Orchestrator 4.x.0 Server
    
    - Where 4.x.0 is the applicable version of ePO that you are running in the environment. (Example: McAfee ePolicy Orchestrator 4.5.0 Application Server)
    
    NOTE: Look in the DB\logs\server.log to ensure that the Agent Handler (Apache server) started correctly. It should state something similar to the following:
    
    20090923173647 I #4108 NAIMSRV ePolicy Orchestrator server started.
    If it does not, there was an error similar to the following:
    
    20090923173319 E #4736 NAIMSRV Failed to get server key information.
     
23. Finally, restart the three ePO services again.