3/13/13 McAfee ServicePortal

https://mysupport.mcafee.com/Eservice/article.aspx?page=content&id=KB66616 1/8

Published: Feb 15, 2013

Corporate knowledgebase ID:KB66616

ePO 4.5 and 4.6 server backup and disaster recovery procedure

Printer Friendly Rate this Page

Environment

ePolicy Orchestrator (ePO) 4.0 reached End of Life (EOL) on September 30,2011.ePO 4.0 will no longer be tested with new releases of related products or utilities.Therefore, McAfee recommends that you upgrade to the latest supported version.

See also:

McAfee EOL List and EOL Policy at: http://www.mcafee.com/us/support/support-eol.aspx KB69534 - End of Life for ePolicy Orchestrator 4.0

For details of all supported operating systems, see KB51109.

Solution

IMPORTANT:

This procedure is intended for use by network and ePolicy Orchestrator (ePO)administrators only. McAfee does not assume responsibility for any damageincurred because they are intended as guidelines for disaster recovery. All liability foruse of the following information remains with the user.The procedure is for use with ePO 4.5 and 4.6 servers only.This will not work if you rename the ePO server. See KB66620 for steps on handlingthis situation.The Operating System (OS) must be the same if you are going to re-install the OS.You must reinstall ePO to the exact same directory path as the previous installation orinitialization of extensions will fail when the restore is complete. See KB70685 for aProduct Management statement regarding this limitation.

The Agent uses either the last known IP address, DNS name, or NetBIOS name of theePO server. If you change any one of these, ensure that the Agents have a way tolocate the server. The easiest way to do this would be to retain the existing DNSrecord and change it to point to the new IP address of the ePO server. After the Agentis able to successfully connect to the ePO server, it downloads an updatedSiteList.xml with the current information.The procedure can also be used by customers who want to migrate the ePO 4.5 or 4.6server to another system.

PreparationTo ensure a smooth recovery, do not perform a backup while the server is in the middle ofinstalling an extension. Before backing upIf possible, shut down the ePO 4.x.0 Application Server service (Tomcat) entirely when doingthe backup, where 4.x.0 applies to both ePO 4.5 and 4.6 (example, ePO 4.6.0 ApplicationServer). Otherwise, ensure that no one is performing the following actions during the backup:

Installing, uninstalling, or upgrading an extensionUpdating the ePO database configuration

McAfee ePolicy Orchestrator 4.xIMPORTANT:

NOTES:

3/13/13 McAfee ServicePortal

https://mysupport.mcafee.com/Eservice/article.aspx?page=content&id=KB66616 2/8

Backing upUse the following to back up the SQL database (normally named ePO4_<ServerName>,where the <ServerName> is your ePO 4.5 / 4.6 server name):

See article KB59562 - How to back up the ePO database using OSQL commands, orKB52126 - How to back up and restore the ePO database using Enterprise Manager/Management Studio.DBBAK utilitySQL Enterprise Manager

You must also backup the following folder paths (the default installation path is used - yourinstallation might differ): C:\Program Files\McAfee\ePolicy Orchestrator\SERVER\All installed extensions and configuration information for the ePO Application Server service isfound here.

NOTE: If you want to reduce the number of items to back up from the \SERVER folderbackup, consider excluding only the following:

C:\Program Files\McAfee\ePolicy Orchestrator \server\logs (server logfiles)C:\Program Files\McAfee\ePolicy Orchestrator\server\cache (Containscached information that ePO creates and uses, such as generated chartimages. ePO will regenerate that information, if deleted.)C:\Program Files\McAfee\ePolicy Orchestrator\server\work (Containscached information about web applications registered with Tomcat.Tomcat will regenerate that information, if deleted.)

C:\Program Files\McAfee\ePolicy Orchestrator\DB \SOFTWARE\All Products that have been checked into the Master Repository are located here.

C:\Program Files\McAfee\ePolicy Orchestrator\DB \KEYSTORE\The Agent to Server Communication and Repository Keys that are unique to yourinstallation are located here. Failing to restore this folder results in re-pushing the agent toall your systems, and checking in all of your deployable packages again.

C:\Program Files\McAfee\ePolicy Orchestrator\APACHE2\CONFThe Server configuration settings for Apache, the SSL Certificates needed to authorize theserver to handle agent requests, and Console Certificates are located here. Failure to back upand restore this directory results in a re-installation of ePO to create new ones and possiblyusing a clean database installation.

Recovery

1. Delete or rename the ePO database on the SQL server.If you do not know how to perform the MSSQL operation, contact Microsoft Support.

2. Reinstall ePO 4.5 / 4.6.

IMPORTANT: You must reinstall ePO to the exact same directory path as theprevious installation or initialization of extensions will fail when the restore iscomplete. Also, you do not have to specify the same port configuration except for thedatabase. The ports are restored to the previous installation values during the restore.

3. Apply any patches to ePO 4.5 / 4.6 that had been previously applied.

- If you have previously installed Policy Auditor 5.x for use with ePO, install thesame version of Policy Auditor (including the hotfix release) that had been installedbefore. - If you have previously installed McAfee NAC 3.x or McAfee NAC 4.0 for use withePO, install the same version of McAfee NAC (including the hotfix release) that hadbeen installed before.

NOTE: You can verify the ePO 4.5/4.6 patch level by looking at the Version field inthe backed up Server.ini file (C:\Program Files\McAfee\ePolicyOrchestrator\DB\) and cross referencing it with article KB59938 - Versioninformation for the ePO 4.x server.

3/13/13 McAfee ServicePortal

https://mysupport.mcafee.com/Eservice/article.aspx?page=content&id=KB66616 3/8

4. After installing, stop and disable all ePO 4.5 / 4.6 services:

a. Click Start, Run, type services.msc, and click OK.b. Right-click each of the following services and select Stop:

McAfee ePolicy Orchestrator 4.x.0 Application ServerMcAfee ePolicy Orchestrator 4.x.0 Event ParserMcAfee ePolicy Orchestrator 4.x.0 Server

c. Double-click each of the following services and change Startup type toDisabled:

McAfee ePolicy Orchestrator 4.x.0 Application ServerMcAfee ePolicy Orchestrator 4.x.0 Event ParserMcAfee ePolicy Orchestrator 4.x.0 Server

5. Restore the database. NOTE: Restore the database so that you do not require the ePO databaseconfiguration to be updated (for example, same name, host, port, and so on).Otherwise, you have to update the restored DB.PROPERTIES file in C:\ProgramFiles\McAfee\ePolicy Orchestrator \server\conf\Orion with the newinformation before starting up the server.

6. Delete the following folders, replacing them with the corresponding folders that werebacked up earlier:

C:\Program Files\McAfee\ePolicy Orchestrator\SERVER\C:\Program Files\McAfee\ePolicy Orchestrator\APACHE2\CONFC:\Program Files\McAfee\ePolicy Orchestrator\DB \SOFTWARE\C:\Program Files\McAfee\ePolicy Orchestrator\DB \KEYSTORE\

7. Before you enable and start the ePO 4.5 / 4.6 services, ensure that the contents(version numbers) of the C:\Program Files\McAfee\ePolicyOrchestrator\server\extensions\installed folder match the extensions listed inthe OrionExtensions table.

To check the contents of the OrionExtensions table, access the SQL Tools and run thefollowing T-SQL command:

Select * from OrionExtensions

If there is a mismatch on server startup, the server removes each extension not listedin the OrionExtensions table. If this happens, check in these extensions again and alsorestore the database again.

8. Start the McAfee ePolicy Orchestrator 4.x.0 Application Server service.

NOTE: You have to start this service for RunDllGenCerts to work.

9. Rename SSL.CRT folder (see path below) to SSL.CRT.OLD and manually create anempty folder named SSL.CRT on the same path, otherwise the setup will fail to createa new Cert:

32-bit: "C:\Program Files\McAfee\ePolicy Orchestrator\APACHE2\CONF\SSL.CRT" 64-bit: "C:\Program Files (x86)\McAfee\ePolicyOrchestrator\APACHE2\CONF\SSL.CRT"

10. Click Start, Run, type cmd, and click OK.11. Change directories to your ePO installation directory.

Default path:

32-bit: Program Files\McAfee\ePolicy Orchestrator\ 64-bit: Program Files (x86)\McAfee\ePolicy Orchestrator\

12. Run the following command:

3/13/13 McAfee ServicePortal

https://mysupport.mcafee.com/Eservice/article.aspx?page=content&id=KB66616 4/8

1 2 3 4 5(Best)

Yes No

Rate this document

Did this article resolveyour issue?

IMPORTANT: - This command will fail if you have enabled User Account Control (UAC) on thisserver. If this is a Windows Server 2008 or later, disable this feature. You can findmore information about UAC at: http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx.- This command is case-sensitive. The ahsetup.log (found in<installdir\Apache2\conf\ssl.crt>) provides information about whether the commandsucceeded or failed and will state if it used the files located in the ssl.crt folder

Rundll32.exe ahsetup.dll RunDllGenCerts <eposervername> <console HTTPSport> <admin username> <password> <"installdir\Apache2\conf\ssl.crt">

where:

<eposervername> is your ePO server's NetBIOS Name<console HTTPS port> is your ePO Console Port (default is 8443)<admin username> is admin (use the default ePO admin account)<password> is the password to the ePO Admin console account<installdir\Apache2\conf\ssl.crt> is your installation path to the Apachefolder; Default installation path:

32-bit: "C:\Program Files\McAfee\ePolicy Orchestrator\APACHE2\CONF\SSL.CRT" 64-bit: "C:\Program Files (x86)\McAfee\ePolicyOrchestrator\APACHE2\CONF\SSL.CRT"

Example:Rundll32.exe ahsetup.dll RunDllGenCerts eposervername 8443 administrator password"C:\Program Files\McAfee\ePolicy Orchestrator\APACHE2\CONF\SSL.CRT"

13. Start the following services:

McAfee ePolicy Orchestrator 4.x.0 Event Parser McAfee ePolicy Orchestrator 4.x.0 Server

14. Look in the DB/logs/server.log to ensure that the Agent Handler (Apache server)

started correctly. It should state something similar to the following:

“20090923173647 I #4108 NAIMSRV ePolicy Orchestrator serverstarted.”

If it does not, there will be an error similar to:

“20090923173319 E #4736 NAIMSRV Failed to get server keyinformation.”

Related Information

Rate this page

CorporateKnowledgeBaseInformation

Categories

ePolicy Orchestrator4.5

ePolicy Orchestrator4.6

Glossary ofTechnical Terms

Please take a momentto browse our Glossaryof Technical Terms

KB51438 - Recommended steps for migrating or moving the ePO 4.0 server to a new system

Please take a moment to complete this form to help us serve you better.

Please provide anycomments related to thiscontent.NOTE: Please do notrequest support through

3/13/13 McAfee ServicePortal

https://mysupport.mcafee.com/Eservice/article.aspx?page=content&id=KB66616 5/8

Rate Content

this form.

Your response will be used to improve our document content.Request for assistance should be submitted through your normal support channel as wecannot respond from this site.

3/13/13 McAfee ServicePortal

https://mysupport.mcafee.com/Eservice/article.aspx?page=content&id=KB66616 6/8

3/13/13 McAfee ServicePortal

https://mysupport.mcafee.com/Eservice/article.aspx?page=content&id=KB66616 7/8

3/13/13 McAfee ServicePortal

https://mysupport.mcafee.com/Eservice/article.aspx?page=content&id=KB66616 8/8