The Alliance server certificate has recently increased security to use the SHA256 algorithm.
New customers, after EDR 7.8.0 is released, receive the improved Alliance certificates by default in the initial install rpm.
Existing customers could obtain a new rpm (carbon-black-release-1.0.4-1-<name>.x86_64.rpm) which includes the updated Alliance certificate from the VMware Carbon Black account representatives.
Obtain the updated rpm from the account representative or support representative.
These steps are for existing container and on-prem customers (prior to EDR 7.8.0 release) with an updated rpm to implement the SHA256 Alliance certificate.
For EDR Containers:1. Copy the new rpm inside the existing running docker container using docker cp
docker cp <new_license_rpm> <container_id>:/
2. Backup up essential files.
mkdir ~/backup
cp /etc/cb/certs/carbonblack-alliance-client.crt ~/backup
cp /etc/cb/certs/carbonblack-alliance-client.key ~/backup
cp etc/cb/server.lic ~/backup
cp /etc/yum.repos.d/CarbonBlack.repo ~/backup
3. After backing up the files, delete the older files:
rm f ./etc/cb/certs/carbonblack-alliance-client.crt
rm f ./etc/cb/certs/carbonblack-alliance-client.key
rm f ./etc/cb/server.lic
rm f ./etc/yum.repos.d/CarbonBlack.repo
4. Run the rpm2cpio utility which creates a subdirectory called etc.
rpm2cpio ./<new_license_rpm> | cpio -idm
5. Copy the new generated certs in the respective folders
cp -a ./etc/cb/certs /config/
cp -a ./etc/cb/server.lic /config/server.lic
6. Change the file permissions and group of the new files so that they are consistent with the other certificates.
cd /etc/cb/certs
chmod 640 carbonblack-alliance-client.key
chgrp cb carbonblack-alliance-client.crt
chgrp cb carbonblack-alliance-client.key
7. Restart coreservices
usr/share/cb/cbservice cb-coreservices restart
For on-prem EDR standalone servers and EDR cluster servers (both Primary and Minion):1. Backup the current certificates, license and repo.
mkdir ~/backup
cp /etc/cb/certs/carbonblack-alliance-client.crt ~/backup
cp /etc/cb/certs/carbonblack-alliance-client.key ~/backup
cp etc/cb/server.lic ~/backup
cp /etc/yum.repos.d/CarbonBlack.repo ~/backup
2. Unpack the new rpm. This creates a subdirectory ~/etc
mv carbon-black-release-1.0.4-1.<name>.rpm ~/
cd ~/
rpm2cpio carbon-black-release-10.0.4-1-<name>.x86_64.rpm | cpio -idmv
3. Copy the new carbonblack-alliance-client key and crt file to EDR server /etc/cb/certs.
cp -a ~/etc/cb/carbonblack-alliance-client.key /etc/cb/certs/
cp -a ~/etc/cb/carbonblack-alliance-client.crt /etc/cb/certs/
4. Fix the permissions.
cd /etc/cb/certs
chmod 640 carbonblack-alliance-client.key
chgrp cb carbonblack-alliance-client.crt
chgrp cb carbonblack-alliance-client.key
5. Restart coreservice
/usr/share/cb/cbservice cb-coreservices restart
Confirm: Confirm the new Alliance certificate is working by tailing the /var/log/cb/coreservices/debug.log or the /var/log/cb/enterprise/enterprise.log and running the “Check New Feeds” on the Threat Intelligence page. Confirm the CA_MD_TOO_WEAK errors are not appearing in the logs now that the communication is implementing stronger certs.