How to migrate sensors to a different EDR server

• EDR Server: All Supported Versions
• EDR Sensors: All Versions

1. Make a back-up of the current certs

   sudo tar -cvpzf /etc/cb/certs/cb-certs-backup.tar.gz /etc/cb/certs

2. Copy the following certs from the original server to the new server. If this is a clustered environment, please add these to the minions as well
   • cb-client-ca.crt
   • cb-client-ca.key
   • cb-server.crt
   • cb-server.key
3. Update the permissions of the files

   chown root:cb /etc/cb/certs/cb-server* /etc/cb/certs/cb-client-ca*
   chmod 644 /etc/cb/certs/cb-server* /etc/cb/certs/cb-client-ca*

4. Follow the procedure for your environment before proceeding to step 5
   1. No sensors are installed and no data has been ingested or data can be deleted
      • Run this command to the server with the new certs 

        /usr/share/cb/cbinit

   2.  Sensors were previously installed and data exists on the new server (WARNING: Sensors currently communicating will need to be re-installed)
      • Please revoke Certificates of all current groups. How to Revoke a Sensor Group Certificate
      • Postgres needs to be updated with the server cert
        • Copy the import_cert.py script in the additional notes section. Use --execute to make the change

          sudo chmod 770 import_cert.py
          sudo ./import_cert.py --execute

          • If an error like the one below happens when attempting to run import_cert.py:

            Traceback (most recent call last):
              File "./import_cert.py", line 3, in <module>
                from cb.core.certificates import HttpsProxy
            ImportError: No module named cb.core.certificates

• Use this to workaround the error and try executing the script again : 

  chmod o+x import_cert.py
  sed -i.bak 's/\r$//' import_cert.py
  sudo ./import_cert.py

• For clustered instances, you will need to sync the certs across all nodes if the minion(s) already exist. 

  /usr/share/cb/cbcluster sync-certs

• Restart the server services. How to Restart EDR Server Services

5. Create a new sensor group on the old server specific for the migration
6. Edit the settings of the new sensor group. Set the Server URL to the new server URL. Do not forget to put the correct sensor communication port for the new server. https://newserver:443
7. When ready. Move a single test machine into the new sensor group. Verify it has registered and stays connected in the WebUI of the new server

• Sensors already connected to the new server will drop offline after the certificate is revoked 
• Why do I need to revoke the group certificates
  • Group certs are signed by the cb-client-ca. When you migrate the certs over from another server, your group certs is no longer validly signed by the cb-client-ca being checked against. Nginx will fail with 400's due to them not being valid
• import_cert.py

  #!/usr/share/cb/virtualenv/bin/python
  
  from cb.core.certificates import HttpsProxy
  from cb.utils import Config
  from cb.utils.db import db_session_context
  from cb.utils import get_utcnow_with_tzinfo
  from cb.db.core_models import ServerCert
  from cb.utils.cb_ssl import SSLCertAndKey
  import argparse
  import sys
  
  
  def get_args():
      parser = argparse.ArgumentParser()
      parser.add_argument('-c', '--config', action="store", default="/etc/cb/cb.conf", help="Path to the cb.conf file.")
      parser.add_argument('-e', '--execute', action="store_true", default=False,
                          help="Perform update instead of just a dry run.")
      return parser.parse_args(sys.argv[1:])
  
  
  def print_separator(text):
      text = text.split('\n')
      length = 20
      for line in text:
          length = max(len(line), length)
      print('-' * length)
  
  
  def update_cert(config, dry_run=True):
      if config.UnifiedViewEnabled:
          print("Cannot run on unified view server.")
          exit()
  
      with db_session_context(config) as db_session:
          proxy = HttpsProxy(config)
          keys = proxy.get_default_key_pair()
  
          cert = db_session.query(ServerCert).filter(ServerCert.is_default == True).one()
          if not cert:
              print("No default certificate found.")
              exit()
  
          print("Public Key before update:")
          print_separator(cert.x509_cert)
          print(cert.x509_cert)
  
          cert.enabled = True
          cert.is_default = True
          cert.name = "Legacy"
          cert.added_time = cert.changed_time = get_utcnow_with_tzinfo()
          cert_and_key = SSLCertAndKey.load_from_string(keys.public, keys.private)
          cert.x509_cert = keys.public
          cert.private_key = keys.private
          cert.fingerprint = cert_and_key.fingerprint(as_text=True)
          cert.thumbprint = cert_and_key.thumbprint(as_text=True)
          cert.subject = cert_and_key.subject(as_text=True)
          cert.server_name = ""
          cert.not_valid_before = cert_and_key.not_valid_before()
          cert.not_valid_after = cert_and_key.not_valid_after()
          cert.self_signed = cert_and_key.self_signed()
  
          print("Public Key after update:")
          print_separator(cert.x509_cert)
          print(cert.x509_cert)
  
          if dry_run:
              db_session.rollback()
              print("This was a dry run.  To commit changes, run with --execute option.")
          else:
              db_session.commit()
              print("Default certificate imported into the database.")
  
  
  if __name__ == "__main__":
      args = get_args()
      config = Config()
      config.load(args.config)
  
      update_cert(config, not args.execute)