EDR: How to Migrate Sensors to a Different EDR Server on 6.4.0 or Higher
search cancel

EDR: How to Migrate Sensors to a Different EDR Server on 6.4.0 or Higher


Article ID: 285952


Updated On:


Carbon Black EDR (formerly Cb Response)


How to migrate sensors to a different EDR server on 6.4.0 or higher


  • EDR Server: 6.4.0 and higher
  • EDR Sensors: All Versions


  1. Make a back-up of the current certs
    sudo tar -cvpzf /etc/cb/certs/cb-certs-backup.tar.gz /etc/cb/certs
  2. Copy the following certs from the original server to the new server. If this is a clustered environment, please add these to the minions as well
    • cb-client-ca.crt
    • cb-client-ca.key
    • cb-server.crt
    • cb-server.key
  3. Update the permissions of the files
    chown root:cb /etc/cb/certs/cb-server* /etc/cb/certs/cb-client-ca*
    chmod 644 /etc/cb/certs/cb-server* /etc/cb/certs/cb-client-ca*
  4. Follow the procedure for your environment before proceeding to step 5
    1. No sensors are installed and no data has been ingested or data can be deleted
      • Run this command to the server with the new certs 
    2.  Sensors were previously installed and data exists on the new server (WARNING: Sensors currently communicating will need to be re-installed)
      • Please revoke Certificates of all current groups. EDR: How to revoke a sensor group certificate version 6.2 and above
      • Postgres needs to be updated with the server cert
        • Copy the import_cert.py script in the additional notes section. Use --execute to make the change
          sudo chmod 770 import_cert.py
          sudo ./import_cert.py --execute
          • If an error like the one below happens when attempting to run import_cert.py:
            Traceback (most recent call last):
              File "./import_cert.py", line 3, in <module>
                from cb.core.certificates import HttpsProxy
            ImportError: No module named cb.core.certificates
  • Use this to workaround the error and try executing the script again : 
    chmod o+x import_cert.py
    sed -i.bak 's/\r$//' import_cert.py
    sudo ./import_cert.py
  1. Create a new sensor group on the old server specific for the migration
  2. Edit the settings of the new sensor group. Set the Server URL to the new server URL. Do not forget to put the correct sensor communication port for the new server. https://newserver:443
  3. When ready. Move a single test machine into the new sensor group. Verify it has registered and stays connected in the WebUI of the new server

Additional Information

  • Sensors already connected to the new server will drop offline after the certificate is revoked 
  • Why do I need to revoke the group certificates
    • Group certs are signed by the cb-client-ca. When you migrate the certs over from another server, your group certs is no longer validly signed by the cb-client-ca being checked against. Nginx will fail with 400's due to them not being valid
  • import_cert.py
    from cb.core.certificates import HttpsProxy
    from cb.utils import Config
    from cb.utils.db import db_session_context
    from cb.utils import get_utcnow_with_tzinfo
    from cb.db.core_models import ServerCert
    from cb.utils.cb_ssl import SSLCertAndKey
    import argparse
    import sys
    def get_args():
        parser = argparse.ArgumentParser()
        parser.add_argument('-c', '--config', action="store", default="/etc/cb/cb.conf", help="Path to the cb.conf file.")
        parser.add_argument('-e', '--execute', action="store_true", default=False,
                            help="Perform update instead of just a dry run.")
        return parser.parse_args(sys.argv[1:])
    def print_separator(text):
        text = text.split('\n')
        length = 20
        for line in text:
            length = max(len(line), length)
        print('-' * length)
    def update_cert(config, dry_run=True):
        if config.UnifiedViewEnabled:
            print("Cannot run on unified view server.")
        with db_session_context(config) as db_session:
            proxy = HttpsProxy(config)
            keys = proxy.get_default_key_pair()
            cert = db_session.query(ServerCert).filter(ServerCert.is_default == True).one()
            if not cert:
                print("No default certificate found.")
            print("Public Key before update:")
            cert.enabled = True
            cert.is_default = True
            cert.name = "Legacy"
            cert.added_time = cert.changed_time = get_utcnow_with_tzinfo()
            cert_and_key = SSLCertAndKey.load_from_string(keys.public, keys.private)
            cert.x509_cert = keys.public
            cert.private_key = keys.private
            cert.fingerprint = cert_and_key.fingerprint(as_text=True)
            cert.thumbprint = cert_and_key.thumbprint(as_text=True)
            cert.subject = cert_and_key.subject(as_text=True)
            cert.server_name = ""
            cert.not_valid_before = cert_and_key.not_valid_before()
            cert.not_valid_after = cert_and_key.not_valid_after()
            cert.self_signed = cert_and_key.self_signed()
            print("Public Key after update:")
            if dry_run:
                print("This was a dry run.  To commit changes, run with --execute option.")
                print("Default certificate imported into the database.")
    if __name__ == "__main__":
        args = get_args()
        config = Config()
        update_cert(config, not args.execute)