• Hosted EDR: 7.8.0
• EDR: 7.8.0

The HEDR certificates, watchlists and sensors will migrate.  The older data (cbevents, binaries, etc) do not migrate.

The overall procedure to migrate to On-prem EDR:

1. Contact your Catalyst partner who will work with Broadcom licensing to generate the installation RPM required for installation. 
   If you are not assigned to a Catalyst partner, please open a non-technical case with Broadcom support. 
   
   This process will:
   a. Set up a new record for on-prem EDR instance.
   b. Generate a new RPM required for installation.
   
   
2. Open a support case.
   The below will be provided:
   a. The server and client ca certificates.  These are essential for sensor migration.
   b. The watchlists & optionally a Watchlist Report.   The watchlists should be exported using cbapi.  The Watchlist Report contains hints to improve accuracy and performance.
   c. Average documents ingested per day in HEDR for this instance.  This value can be used to help you calculate the resources needed for an On-prem EDR based on the OER.
   
   
3. Determine the correct sizing for the On-prem EDR.  This is based on the average documents ingested per day and the Operational Environment Requirements (OER).
   
   
4. Bring the provided RPM to the On-prem Primary EDR server.  This RPM only contains the license and alliance certificates which are unique for each organization and the CarbonBlack.repo file.
   
   
5. Install EDR. 
   
   
6. Backup the certificates created by the EDR install.
   

   cp -pr /etc/cb/certs /root/

7. The on-prem EDR requires HEDR key pairs for cb-server, cb-client-ca. 
   Place the HEDR bkup file from the Support Case into the /tmp/ directory on the Standalone or Primary On-prem EDR server.  Restore the HEDR certificates onto the on-prem EDR server.  This automatically moves the current on-prem certs to a subdirectory named /etc/cb/certs/orig.<date>.
   

   /usr/share/cb/cbssl restore --in=/tmp/<CB alias>.certs.bkup
   <enter the password provided by CB Support>

8. Move the correct Alliance certificate key pair (from Step 6) back to the /etc/cb/certs directory.   
   

   mv -f  /etc/cb/certs/orig.<date>/carbonblack* /etc/cb/certs/
   

9. Confirm the certificates are correct (this is important to smoothly migrate the sensors).  The hash for cb-server, cb-client, that came with the file provided by support.  
   
   
10. Check the Alliance certificates' level of security. If the Alliance certs are using SHA1 algorithm, check if you have an updated version of the RPM carbon-black-release-1.0.4+* file under My entitlement in the support portal or open non-technical support ticket with licensing team to provide the updated 1.4+ RPM version file that contains the SHA256 Alliance certificate pair.
    

    openssl x509 -noout -text -in /etc/cb/certs/carbonblack-alliance-client.crt | grep sha

11. Make sure you have the following files under /etc/cb/certs
    

    # ls -alt /etc/cb/certs/
    -rw-r--r--.  1 root cb   1074 Aug 24 20:22 cb-client-ca.crt
    -rw-r-----.  1 root cb   1704 Aug 24 20:22 cb-client-ca.key
    -rw-r--r--.  1 root cb   1090 Aug 24 20:22 cb-server.crt
    -rw-r-----.  1 root cb   1704 Aug 24 20:22 cb-server.key
    -rw-r--r--.  1 root cb   1257 Feb  2  2023 carbonblack-alliance-client.crt
    -rw-r-----.  1 root cb   1704 Feb  2  2023 carbonblack-alliance-client.key

12. Initialize the EDR server.
    
    
13. Check the permissions on the /etc/cb/certs directory.
    

    chown -R root:cb /etc/cb/certs
    chmod 755 /etc/cb/certs
    chmod 644 /etc/cb/certs/*.crt
    chmod 640 /etc/cb/certs/*.key

14. Add minions as needed to meet OER.
    
    
15. Import the watchlists using cbapi
    
    
16. Start the On-prem EDR.
    

    Standalone:
         systemctl start cb-enterprise
    Cluster:
         /usr/share/cb/cbcluster start

17. Select a HEDR Sensor Group to migrate to the On-prem EDR, then create an On-prem EDR group to match.
    
    
18. Modify the HEDR's Sensors > Group > variable Server URL to the On-prem EDR server name. (Use HTTPS and the correct port.) 
    
    
19. Repeat 17 & 18 until the groups have migrated.

• Solr and Postgres data cannot be migrated to the On-prem EDR.   The events, binary collection, user accounts, etc would start fresh on the new On-prem EDR.  
• The watchlists can alternatively be provided in a CSV file that would need to be manually added to the On-prem EDR.