EDR: Improve Alliance Certificates by Implementing SHA256
Article ID: 290857
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- To upgrade the Alliance certificates to increase security.
- If the following command returns 'sha1', then request a SHA256 Alliance certificate by contacting an Account Representative or Customer Support.
Run: openssl x509 -noout -text -in /etc/cb/certs/carbonblack-alliance-client.crt | grep sha Returns: Signature Algorithm: sha1WithRSAEncryption <-- Obtain an updated Alliance Certificate. Signature Algorithm: sha256WithRSAEncryption <--- Expected value.
Environment
EDR Server: 7.7.2 and higher
EDR Container: 7.7.2 and higher
Operating Systems: CentOS/RHEL 7, CentOS/RHEL 8, Photon4
EDR Container: 7.7.2 and higher
Operating Systems: CentOS/RHEL 7, CentOS/RHEL 8, Photon4
Resolution
The Alliance server certificate has recently increased security to use the SHA256 algorithm.
New customers, after EDR 7.8.0 is released, receive the improved Alliance certificates by default in the initial install rpm.
Existing customers could obtain a new rpm (carbon-black-release-1.0.4-1-<name>.x86_64.rpm) which includes the updated Alliance certificate from the VMware Carbon Black account representatives.
Obtain the updated rpm from the account representative or support representative.
These steps are for existing container and on-prem customers (prior to EDR 7.8.0 release) with an updated rpm to implement the SHA256 Alliance certificate.
For EDR Containers:
1. Copy the new rpm inside the existing running docker container using docker cp
For on-prem EDR standalone servers and EDR cluster servers (both Primary and Minion):
1. Backup the current certificates, license and repo.
Confirm: Confirm the new Alliance certificate is working by tailing the /var/log/cb/coreservices/debug.log or the /var/log/cb/enterprise/enterprise.log and running the “Check New Feeds” on the Threat Intelligence page. Confirm the CA_MD_TOO_WEAK errors are not appearing in the logs now that the communication is implementing stronger certs.
New customers, after EDR 7.8.0 is released, receive the improved Alliance certificates by default in the initial install rpm.
Existing customers could obtain a new rpm (carbon-black-release-1.0.4-1-<name>.x86_64.rpm) which includes the updated Alliance certificate from the VMware Carbon Black account representatives.
Obtain the updated rpm from the account representative or support representative.
These steps are for existing container and on-prem customers (prior to EDR 7.8.0 release) with an updated rpm to implement the SHA256 Alliance certificate.
For EDR Containers:
1. Copy the new rpm inside the existing running docker container using docker cp
docker cp <new_license_rpm> <container_id>:/2. Backup up essential files.
mkdir ~/backup cp /etc/cb/certs/carbonblack-alliance-client.crt ~/backup cp /etc/cb/certs/carbonblack-alliance-client.key ~/backup cp /etc/cb/server.lic ~/backup cp /etc/yum.repos.d/CarbonBlack.repo ~/backup3. After backing up the files, delete the older files:
rm f ./etc/cb/certs/carbonblack-alliance-client.crt rm f ./etc/cb/certs/carbonblack-alliance-client.key rm f ./etc/cb/server.lic rm f ./etc/yum.repos.d/CarbonBlack.repo4. Run the rpm2cpio utility which creates a subdirectory called etc.
rpm2cpio ./<new_license_rpm> | cpio -idm5. Copy the new generated certs in the respective folders
cp -a ./etc/cb/certs /config/ cp -a ./etc/cb/server.lic /config/server.lic6. Change the file permissions and group of the new files so that they are consistent with the other certificates.
cd /etc/cb/certs chmod 640 carbonblack-alliance-client.key chgrp cb carbonblack-alliance-client.crt chgrp cb carbonblack-alliance-client.key7. Restart coreservices
usr/share/cb/cbservice cb-coreservices restart
For on-prem EDR standalone servers and EDR cluster servers (both Primary and Minion):
1. Backup the current certificates, license and repo.
mkdir ~/backup cp /etc/cb/certs/carbonblack-alliance-client.crt ~/backup cp /etc/cb/certs/carbonblack-alliance-client.key ~/backup cp /etc/cb/server.lic ~/backup cp /etc/yum.repos.d/CarbonBlack.repo ~/backup2. Unpack the new rpm. This creates a subdirectory ~/etc
mv carbon-black-release-1.0.4-1.<name>.rpm ~/ cd ~/ rpm2cpio carbon-black-release-10.0.4-1-<name>.x86_64.rpm | cpio -idmv3. Copy the new carbonblack-alliance-client key and crt file to EDR server /etc/cb/certs.
cp -a ~/etc/cb/certs/carbonblack-alliance-client.key /etc/cb/certs/ cp -a ~/etc/cb/certs/carbonblack-alliance-client.crt /etc/cb/certs/4. Fix the permissions.
cd /etc/cb/certs chmod 640 carbonblack-alliance-client.key chgrp cb carbonblack-alliance-client.crt chgrp cb carbonblack-alliance-client.key5. Restart coreservice
/usr/share/cb/cbservice cb-coreservices restart
Confirm: Confirm the new Alliance certificate is working by tailing the /var/log/cb/coreservices/debug.log or the /var/log/cb/enterprise/enterprise.log and running the “Check New Feeds” on the Threat Intelligence page. Confirm the CA_MD_TOO_WEAK errors are not appearing in the logs now that the communication is implementing stronger certs.
Additional Information
License server is now updated to create the license rpm with SHA256 certs instead of previous SHA1. This means:
- For any new customer, license rpm will have SHA256 certs by default
- For any existing customer, new license file rpm generated will have SHA256 certs. So if customer wants the newer certs, then they will have to install the new license file generated for them.
Feedback
Yes
No
Powered by
