You host the Sensor Gateway on a Linux machine as a container image. Therefore, the Linux server must have a container running capability. In this type of installation, if you want to install more than one Sensor Gateway servers, you must repeat the following steps for every Sensor Gateway server.

The following high level installation workflow depicts the steps for installing and configuring various components in your system so the sensors can communicate with Carbon Black Cloud through the Sensor Gateway.

Installation flow to enable Sensor Gateway in your environment.


  • Verify that port 443 is open on the Sensor Gateway.
  • To have the Sensor Gateway running behind a proxy, ensure you configure the Docker client to use proxy. For more information, see Configure Docker to use a proxy server.


  1. Install Docker.
    For information about installing a Docker engine on the supported by the Sensor Gateway Linux distributions, see Install Docker Engine on CentOS, Install Docker Engine on RHEL, or Install Docker Engine on Ubuntu.
  2. Make the installation script executable if not so already.
    chmod +x
  3. Run the installation script.
  4. When prompted, provide the following input.
    Option Description Example
    API ID

    The API ID and API Secret Key generated on the Carbon Black Cloud console allow an authenticated communication between the Sensor Gateway and the Carbon Black Cloud.

    Both the API ID and API Secret Key are generated in pair. Any mismatch and the Carbon Black Cloud rejects any communication coming from the Sensor Gateway.


    You must generate new API ID and API Secret Key for every Sensor Gateway.

    API Secret Key 8UE3SHE475T2LZLJNJ2M98TK
    Carbon Black Cloud URL

    This URL represents the environment where your services are hosted. Carbon Black Cloud is hosted in several regions and the URL might be different. For a list of Carbon Black Cloud environments, see Carbon Black Cloud Access.
    Note: Ensure the value begins with a https://
    Sensor Gateway entry point URL (https://<sensor-gateway-node-fqdn>)

    An entry point means how the sensors would typically address the Sensor Gateway as.

    This must match the following:

    • If you use a CA-signed or self-signed certificate, this value should be the same as the CN given to the certificate.
    • The IP address or the FQDN of the machine must be the same as the CN of the certificate.

    This example assumes that the CN of the certificate is


    Since the Sensor Gateway services are hosted using SSL, ensure the value begins with https://

    Proxy type
    • None: This is the default option.
    • HTTPS or HTTP: For each choose one of the following options:
      • Proxy Host: Provide the FQDN or IP address of the Proxy Host.
      • Proxy Port: Provide the port where the Proxy server receives requests.
    Optional: Volume mount directory

    The Sensor Gateway uses a fixed directory to look for certificates and to store logs.

    If you do not provide a value, the default location is a /data directory. If you choose to store your certificates or logs in a different directory, you can provide an absolute path here.

    If you choose to have a different folder, ensure you create certs and logs folder underneath this path. At the same time you must ensure the certificate, private key, and certificate chain (optional) are stored in the certs folder before you proceed on the next parameter.

    Since the install script executes with root permissions, by default all these directories will have root permissions as owner and group.

    Optional: Port where Sensor Gateway runs By default the Sensor Gateway services are hosted over SSL on port 443. If this port is in use for any reason on the machine where you are installing the Sensor Gateway, you can use a different port. By default, Sensor Gateway runs on port 443.
    Optional: Certificate private key's passphrase

    As a recommendation, at the time of certificate generation provide a password to protect the private key. When prompted during the Sensor Gateway install provide the same password.

    The Sensor Gateway uses the same password to use the certificate and encrypt the communication between the sensor and itself.

    Provide a password if your sgw_key.pem is password-protected.
    The Sensor Gateway service starts and registers itself with the Carbon Black Cloud. It takes few minutes for the registration to complete.


Once the registration completes successfully, the Sensor Gateway displays as connected in the Settings > API Access > Sensor Gateways page of the Carbon Black Cloud console.

The Sensor Gateway name comes from the API key.

When successfully registered, the Sensor Gateway appears in the API Access page.

What to do next

The Sensor Gateway is reliable and highly available. You can deploy more than one Sensor Gateway servers and configure them in an HA mode (manually) to handle the traffic at an acceptable latency. If a Sensor Gateway server fails due to connection or resource threshold, you can spin up another Sensor Gateway instance to take over in managing the connections.