Environment
- EDR Server: 6.4.0 and higher
- EDR Sensors: All Versions
Objective
How to migrate sensors to a different EDR server on 6.4.0 or higher
Resolution
- Make a back-up of the current certs
sudo tar -cvpzf /etc/cb/certs/cb-certs-backup.tar.gz /etc/cb/certs
- Copy the following certs from the original server to the new server. If this is a clustered environment, please add these to the minions as well
- cb-client-ca.crt
- cb-client-ca.key
- cb-server.crt
- cb-server.key
- Update the permissions of the files
chown root:cb /etc/cb/certs/cb-server* /etc/cb/certs/cb-client-ca*
chmod 644 /etc/cb/certs/cb-server* /etc/cb/certs/cb-client-ca*
- Follow the procedure for your environment before proceeding to step 5
- No sensors are installed and no data has been ingested or data can be deleted
- Run this command to the server with the new certs
/usr/share/cb/cbinit
- Sensors were previously installed and data exists on the new server (WARNING: Sensors currently communicating will need to be re-installed)
- Create a new sensor group on the old server specific for the migration
- Edit the settings of the new sensor group. Set the Server URL to the new server URL. Do not forget to put the correct sensor communication port for the new server. https://newserver:443
- When ready. Move a single test machine into the new sensor group. Verify it has registered and stays connected in the WebUI of the new server
Additional Notes
- Sensors already connected to the new server will drop offline after the certificate is revoked
- Why do I need to revoke the group certificates
- Group certs are signed by the cb-client-ca. When you migrate the certs over from another server, your group certs is no longer validly signed by the cb-client-ca being checked against. Nginx will fail with 400's due to them not being valid
- import_cert.py
#!/usr/share/cb/virtualenv/bin/python
from cb.core.certificates import HttpsProxy
from cb.utils import Config
from cb.utils.db import db_session_context
from cb.utils import get_utcnow_with_tzinfo
from cb.db.core_models import ServerCert
from cb.utils.cb_ssl import SSLCertAndKey
import argparse
import sys
def get_args():
parser = argparse.ArgumentParser()
parser.add_argument('-c', '--config', action="store", default="/etc/cb/cb.conf", help="Path to the cb.conf file.")
parser.add_argument('-e', '--execute', action="store_true", default=False,
help="Perform update instead of just a dry run.")
return parser.parse_args(sys.argv[1:])
def print_separator(text):
text = text.split('\n')
length = 20
for line in text:
length = max(len(line), length)
print('-' * length)
def update_cert(config, dry_run=True):
if config.UnifiedViewEnabled:
print("Cannot run on unified view server.")
exit()
with db_session_context(config) as db_session:
proxy = HttpsProxy(config)
keys = proxy.get_default_key_pair()
cert = db_session.query(ServerCert).filter(ServerCert.is_default == True).one()
if not cert:
print("No default certificate found.")
exit()
print("Public Key before update:")
print_separator(cert.x509_cert)
print(cert.x509_cert)
cert.enabled = True
cert.is_default = True
cert.name = "Legacy"
cert.added_time = cert.changed_time = get_utcnow_with_tzinfo()
cert_and_key = SSLCertAndKey.load_from_string(keys.public, keys.private)
cert.x509_cert = keys.public
cert.private_key = keys.private
cert.fingerprint = cert_and_key.fingerprint(as_text=True)
cert.thumbprint = cert_and_key.thumbprint(as_text=True)
cert.subject = cert_and_key.subject(as_text=True)
cert.server_name = ""
cert.not_valid_before = cert_and_key.not_valid_before()
cert.not_valid_after = cert_and_key.not_valid_after()
cert.self_signed = cert_and_key.self_signed()
print("Public Key after update:")
print_separator(cert.x509_cert)
print(cert.x509_cert)
if dry_run:
db_session.rollback()
print("This was a dry run. To commit changes, run with --execute option.")
else:
db_session.commit()
print("Default certificate imported into the database.")
if __name__ == "__main__":
args = get_args()
config = Config()
config.load(args.config)
update_cert(config, not args.execute)
