Migration and upgrade of McAfee EPO4.6

Because the company EPO server is using 2003 systems, it is too old and the EPO5.0 start to no longer support the 2003 system. So consider the EPO migration and upgrade, I would like to have been in place directly using the 2012 system, due to the limitations of other applications to give up, but 2008r2 can also directly rise to 2012.

Migration steps:

First, backup

1. Backup files

C:\Program files\mcafee\epolicy Orchestrator\server (\logs, work, cache can be unprepared)

C:\Program Files\mcafee\epolicy Orchestrator\db\software

C:\Program Files\mcafee\epolicy Orchestrator\db\keystore

C:\Program Files\mcafee\epolicy orchestrator\apache2\conf

2. Backup Configuration

Hostname/IP, port configuration, security key (select all backups to automatically generate Keystore.zip), license keys (if any records can be unprepared),

To ensure security, you can also do the following: Policy backup (export XML), task backup (client and server, export XML or), installed software backup (Master repository and distributed repository, export XML or)

3. Backing Up the database

Database configuration Backup (Https://<servername>:8443/core/config,)

Database backup (connect the SQL console with the SA user to fully backup the Epo4_mcafee. You can compress the log files and the database first)

Second, re-install and restore

1. Reinstall or install the target server, update the patch.

2, install EPO4.6, on the windows2008r2 on the installation will be prompted "This installation requires follow the 8.3 naming convention" error, modify the registry, the "Hkey_local_machine\system\currentcontrolset\ Control\filesystem "NtfsDisable8dot3NameCreation" to change the value from 2 to 0, rerun the Setup program. Note that the path remains consistent during installation, and the three component services of EPO are stopped and disabled after installation is complete.

3, restore the database. Detach the original database (or overwrite the restore in the original database), and then restore the backed up database (select the restored database path as needed). After the restore, check that the database configuration is correct.

4. Delete the 4 folders when the backup is installed and restore using the backup file.

5. Start the EPO Application Server service (SSL authentication)

Open cmd and change to the EPO installation path, run the following command: Rundll32.exe ahsetup.dll rundllgencerts eposervername 8443 admin "password" "C:\Program files\ Mcafee\epolicy Orchestrator\apache2\conf\ssl. CRT "

6. Modify EPO three components service to Automatic, and start the service.

Migration Success!

If migrating from a 32-bit system to a 64-bit system, be aware that you also want to modify the installation directory. Please refer to the file for details:

Https://kc.mcafee.com/corporate/index?page=content&id=KB71078&locale=zh_CN&viewlocale=zh_CN

How to migrate EPO 4.5 or EPO 4.6 from a 32-bit system to a 64-bit system (or migrate to a different installation path)

Technical article id:kb71078
Last modified: 2014/02/13

Environment

McAfee EPolicy Orchestrator 4.6
McAfee ePolicy Orchestrator 4.5

Summary

How do I migrate EPO 4.5 or EPO 4.6 from a 32-bit system to a 64-bit system?

Solution Solutions

Important NOTES:

• This program is intended for use by network and EPolicy Orchestrator (EPO) administrators only. McAfee is not responsible for any losses incurred as a result of its use only for disaster recovery guidance. The user shall assume all responsibility for the use of the following information.

• This program is only available for EPO 4.5 and EPO 4.6 servers.

• If you rename the EPO server, this program will not work.

Attention:

• The agent uses the last known IP address, DNS name, or NetBIOS name of the EPO server. If you change any of these, make sure that the agent has a way to locate the server. For this purpose, the simplest approach is to keep the existing DNS records and change them to a new IP address that points to the EPO server. After the agent has successfully connected to the EPO server, an updated version of Sitelist.xmlwith the latest information is downloaded.

• This program can also be used by customers who want to migrate EPO 4.5 or EPO 4.6 servers to other systems.

Before backup
To stop the EPO 4.5 or 4.6 service:

1. Click start , tap run , type services.msc, and then click OK .

2. Right-click each of the following services and select Stop :
   
   McAfee ePolicy Orchestrator 4.x.0 Application Server
   McAfee ePolicy Orchestrator 4.x.0 Event Resolver
   McAfee ePolicy Orchestrator 4.x.0 Server
   
   -where 4.x.0 is the applicable version of EPO running in the environment. ( example:McAfee ePolicy Orchestrator 4.5.0 Application Server)

Backing Up the database
Use one of the following methods to back up the SQL database (typically named Epo4_<servername>, where <ServerName> is your EPO 4.5 server name):

Please refer to any of the following Knowledgebase articles:

• KB59562 -How to back up the EPO database using the OSQL command

• KB52126 -How to back up and restore the EPO database using Enterprise manager/management Studio

Backing up the file system
The following folder structure must be backed up to a location that can be accessed from the new 64-bit system. For example, a network share location. The default installation path will be used and the installation may be different. Make sure that you back up all files and subfolders.

C:\Program Files\mcafee\epolicy Orchestrator\server
All installed extensions and configuration information for the EPO application server are located here.

C:\Program Files\mcafee\epolicy Orchestrator\db\software
All products that have been checked into the primary repository are located here.

C:\Program Files\mcafee\epolicy Orchestrator\db\keystore
The only proxy, server, and repository keys are located here in the installation.

C:\Program Files\mcafee\epolicy orchestrator\apache2\conf
Apache's server configuration settings, the SSL certificate that the licensing server requires to process proxy requests, and the console certificate are located here.

Note: If you do not back up all of these directory results, you cannot move the EPO installation to a new 64-bit system and need to start from scratch, including redeploying the agent to all client computers.

Installing on a 64-bit system

2. Because the new 64-bit system has the same name as the existing 32-bit system and will use the same SQL Server for the new database, you need to delete or rename the existing EPO database on the SQL Server.

4. enable the 8.3 naming convention so that epo:  can be installed;
   
   

   1. Click Start , run , type   regedit , and then click OK .

   2. Navigate to:
      
      [hkey_local_machine\system\ Currentcontrolset\control\filesystem]
       

   3.   ntfsdisable8dot3namecreation   value changed to   0 .

   4. restart the server.
       

6. Install EPO 4.5 or EPO 4.6 on a 64-bit computer. Be sure to install the same patch level as your existing EPO installation.
   
   Note: You can verify the EPO 4.5 or EPO 4.6 patch level by backing up the server.ini file (C:\Program files\mcafee\epolicy orchestrator\db\ ) View the version field, and then cross-reference the article KB59938 -EPolicy Orchestrator The release information for the server. During the installation process, make sure that you specify the same server port as the current EPO installation.
   

8. If your previous installation contains policy Auditor 5.x or MNAC 3.x, install the same version of policy Auditor or MNAC (including any hotfixes).

10. 
    

    1. " Span style= "font-size:10px;" Click Start , run , type  , services.msc , and then click OK .

    2. Stop :
       
       McAfee EPolicy Orchestrator 4.x.0 Application Server
       McAfee ePolicy Orchestrator 4.x.0 event resolver
       McAfee ePolicy Orchestrator 4.x.0 server  
       
       -where 4.x.0 is the applicable version of EPO running in the environment. ( example: McAfee ePolicy Orchestrator 4.5.0 application server)
        

    3. Double-click each service and change the startup type to disabled .
        

12. Restore the database.
    Note: If you are restoring a database to a different SQL Server, make sure that the account that is used to access SQL in the existing EPO installation still exists and has the same permissions on the new SQL Server. (For example, if you use the SA account to access SQL for an existing installation, make sure that the SA account is enabled in the new installation and has the same password.) ）
    
    Before you start the server, you must update the restored DB with the new information . PROPERTIES file, which is located in C:\Program files (x86) \mcafee\epolicy orchestrator\server\conf\orion. This is described later in this article.
    

14. Delete the following folders and replace them with the corresponding folders that were previously backed up:
    
    C:\Program Files (x86) \mcafee\epolicy Orchestrator\server\
    C:\Program Files (x86) \mcafee\epolicy orchestrator\apache2\conf
    C:\Program Files (x86) \mcafee\epolicy orchestrator\db\software\
    C:\Program Files (x86) \mcafee\epolicy orchestrator\db\keystore\
    

15. Navigate toC:\Program Files (x86) \mcafee\epolicy Orchestrator\server\conf\catalina\localhost, and then edit all the XML files in the text editor to reflect the 64-bit path they are now in:
    C:\Program Files (x86) \mcafee\epolicy Orchestrator\server\conf\catalina\localhost
    
    For example, change the method as followsWebapp.xmlThe content of:
    
    from:
    <context docbase= "C:/Program files/mcafee/epolicy Orchestrator/server/extensions/installed/rs/2.0.1/webapp"
    Privileged= "true" antiresourcelocking= "false" antijarlocking= "false" ></Context>
    
    instead:
    <context docbase= "C:/Program Files (x86)/mcafee/epolicy ORCHESTRATOR/SERVER/EXTENSIONS/INSTALLED/RS/2.0.1/ WebApp
    Privileged= "true" antiresourcelocking= "false" antijarlocking= "false" ></Context>
    
    Note:If there is a name ofDeployer.xmlfile, please do not edit it. The file has a different format than other XML files.
    
    You can do this very easily by firing all files except Deployer.xml in a multi-label text editor, such as Notepad, and then using files (x86)/replace "files/" in all of them. Alternatively, you can also use the SQL Server Management StudioReplace in filefunctionedit, find and Replace, replace in file) to achieve similar results. For more information about how to use this feature, see SQL Server Books Online.
    

17. Determine the 8.3 notation for the program Files (x86) folder:
    
    

    1. Click start , tap run , type cmd, and then click OK .

    2. To change the root, type the following command, and then press ENTER.
       
       cd\
       

    3. To list the directory structure, type the following command, and then press ENTER.
       
       dir/x
       
       Select the progra~ that references the program files (x86) folder. The most common form is progra~2.
       

18. In a text editor (Notepad), open the following individual . conf files, and then do the following:
    
    C:\Program Files (x86) \mcafee\epolicy orchestrator\apache2\conf\httpd.conf
    C:\Program Files (x86) \mcafee\epolicy orchestrator\apache2\conf\ssl.conf
    
    

    1. find All rows of the 32-bit path, replacing all rows to reflect the 64-bit path that was determined in step 8.
       
       For example, change the following:
       
       from:  
       serverroot "c:/progra~1/mcafee/epolic~1/"
       
       instead:  
       ServerRoot "c:/progra~2/mcafee/epolic~1/"
        

    2. Click Edit , and then select Replace .

    3. Find what field.

    4. Replace with field.

    5. Replace All .
       note: In this file, this path will be modified in multiple locations.
        

    6. Save the changes.
         

20. 
    

    1. Click Start , run , type   Explorer , and then click OK .

    2. Navigate to: C:\Program Files (x86) \mcafee\epolicy Orchestrator\server\extensions\installed\nac\x.x.x.xxx\conf\nacserver.properties .

    3. modify   in the following manner; Servlet.cert.keyStoreLocation   Path:
       
       from: C:/ progra~1 /mcafee/epolic~1/server/extensions/ Installed/nac/3.2.1.148/keystore/nacsub.keystore
       to : c:/ progra~2 /mcafee/epolic~1/server/extensions/installed/nac/3.2.1.148/keystore/nacsub.keystore
          

22. Edit C:\Program Files (x86) \mcafee\epolicy Orchestrator\server\bin\setenv.bat, and then change the path on the line that starts with the following:
    
    Set java_opts=
    Set Jre_home=
    

24. Edit C:\Program Files (x86) \mcafee\epolicy orchestrator\server\bin\setenv.sh(if present), and then change the path on the line that starts with the following:
    
    Export Catalina_home=
    Export java_opts=
    Export Jre_home=
    

26. Edit C:\Program Files (x86) \mcafee\epolicy orchestrator\server\conf\epo\epo.properties, and then change the path on the line that starts with the following:
    
    Epo.install.dir
    Epo.db.dir
    

28. Edit C:\Program Files (x86) \mcafee\epolicy Orchestrator\server\conf\orion\log-config.xml, and then in <param change the path on the line beginning with Name= "File":
    
    Note: This row is in two locations-under the "Standard log Files" and "Rolling log Files" sections.
    

30. Edit C:\Program Files (x86) \mcafee\epolicy orchestrator\server\conf\orion\orion.properties, Then change the path on the line that starts with the following:
    
    Extension.install.dir
    Extension.tmp.dir
    

32. Edit C:\Program Files (x) \mcafee\epolicy orchestrator\installer\epo\install.properties, Then change the path on the line that starts with the following:
    
    Apache.install.dir
    Apache2.install.dir
    Epo.install.dir
    Epo.db.dir
    Epo.db.dir2
    Catalina.home
    

34. Edit C:\Program Files (x86) \mcafee\epolicy orchestrator\installer\core\install.properties, Then change the path on the line that starts with the following:
    
    Orion.home
    Orion.jre.home
    

36. If you have restored the database to a different SQL database, edit the C:\Program Files (x86) \mcafee\epolicy orchestrator\server\conf\orion\db.properties , and then update the following entries with the correct information:
    
    Db.database.name
    Db.instance.name
    Db.port
    Db.user.name
    Db.server.name
    

38. Enable all EPO 4.5.0/epo 4.6.0 services:
    
    

    1. Click start , tap run , type services.msc, and then click OK .

    2. Double-click each of the following services, and then change the startup type to automatic :
       
       McAfee ePolicy Orchestrator 4.x.0 Application Server
       McAfee ePolicy Orchestrator 4.x.0 Event Resolver
       McAfee ePolicy Orchestrator 4.x.0 Server
       
       -where 4.x.0 is the applicable version of EPO running in the environment. ( example:McAfee ePolicy Orchestrator 4.5.0 application Server. ）
       

39. Start the McAfee ePolicy Orchestrator 4.5.0/4.6.0 Application Server service.
    
    Note: The following process must be started before it can work.
    

    2. Click start , tap run , type cmd, and then click OK .

    4. Change the directory to the EPO installation path (it is now: C:\Program Files (x86) \mcafee\epolicy orchestrator\).

    5. in the EPO directory, run the following command:
       
       Important: If User Account Control (UAC) is enabled on this server, this naming will fail. If it is a Windows Server 2008 or later version, disable this feature. You can find more information about UAC on the following Web site:
       http://technet.microsoft.com/en-us/library/cc709691 (ws.10). aspx.
       
       Rundll32.exe Ahsetup.dll rundllgencerts<eposervername> <console HTTPS port> <admin username> <password> < "installdir\apache2\conf \ssl.crt ">
       
       which
       <eposervername> is the NetBios name of the EPO server
       <console HTTPS port> is the EPO console port (default is 8443)
       <admin Username> is an administrator (using the default EPO Administrator account)
       <password> is the password for the EPO Admin console account
       <installdir\Apache2\conf\ssl.crt> is the installation path for the Apache folder (now: C:\Program Files (x86) \mcafee\epolicy orchestrator\ Apache2\conf\ssl. CRT)
       
       Example:
       Rundll32.exe ahsetup.dll rundllgencerts eposervername 8443 Administrator Password "C:\Program Files (x86) \mcafee\ EPolicy Orchestrator\apache2\conf\ssl. CRT "
       
       Note:The rundllgencerts switches in this command are case-sensitive. Ahsetup.log (located in <installdir\Apache2\conf\ssl.crt>) provides information about the success or failure of the command. It will indicate whether to use files located in the Ssl.crt folder.
       

41. Start the following services:
    
    McAfee ePolicy Orchestrator 4.x.0 Event Resolver
    McAfee ePolicy Orchestrator 4.x.0 Server
    
    -where 4.x.0 is the applicable version of EPO running in the environment. ( example:McAfee ePolicy Orchestrator 4.5.0 Application Server)
    
    Note: check in db\logs\server.log to make sure that the agent handler (Apache server) is started correctly. You'll see something like this:
    
    20090923173647 I #4108 naimsrv ePolicy Orchestrator server is started.
    
    If it does not start, an error is displayed, which resembles the following:
    
    20090923173319 E #4736 NAIMSRV Unable to obtain server key information.
    

43. Finally, restart the three EPO services.

Migration and upgrade of McAfee EPO4.6