Hello Thomas, thanks for the addition. When you exchange the certificate authority on the new enforce with the old one - services will fail to start (tomcat, incident persister)
the CryptoMaster.properties is for database connection and does not need to be changed in my opinion as we want to create a new database as well.
But if we use the files from the reinstallation ressources we will run into a problem.
So, our scenario is just:
NEW:
Enforce
Oracle Host
Database
OLD:
Detection Server
Endpoint Agent
If I remember correctly, the agent gets its certificate from the enforce and uses it as a client certificate - the detection server gets a certificate from the enforce. (either the built-in or in our case a new generated one for every monitor) and uses that as a legitimation for the enforce and the client. the client itself presents his client certificate which should be trusted because the Enforce CA built it.
so we need to use the same certificate_authority_v1.jks - or communications will fail and change system services later on accordingly.
I would normally not make such a fuss about that but we have several thousand clients here with multiple hundred endpoint detection servers
------------------------------
PMCS GmbH & Co. KG
------------------------------
Original Message:
Sent: 10-23-2020 10:35 AM
From: Thomas Eisbein
Subject: Migrate DLP Endpoint detection server to new enforce
Hello Paul,
the KB knowledge.broadcom.com/external/article/171131/... is a good article but I think Henning's problem is probably a connection problem if you have a complete other Installation .
We had a similar problem, lets say you have a "old" installation with Enforce and Endpoint Server A, B and C and a new installation with a new Enforce server and Endpoint Server X, Y and Z. The problem is , you can change between X,Y and Z but of course not from the old to the new one right ? ( because the certificate of the old is different to the new one)
I never get this running, but in theory, if you have a laptop with a Agent on the "old installation" then it uses a specific certificate to communication with the old network ( via A,B or C) right. Is there a way to "import" manually a additional certificate on the Endpoint Agent. That would enable the Agent to establish a connection with the old one, and if the old system is shutdown it would be possible to connect then to the "new" one, lets say X,Y or Endpoint Server Z.
I hope it is not too confusing what I said, but I think Hennings problem is similar to the one we had.
Best Regards
Thomas
Original Message:
Sent: 10-23-2020 10:12 AM
From: Paul Evans
Subject: Migrate DLP Endpoint detection server to new enforce
Henning,
It should be pretty easy. Install your new endpoint server and then follow this technote to change them to the new endpoint server.
Regards,