To set up each of your Linux servers for the Sensor Gateway installation, follow this procedure.

Prerequisites

  • Provision an SSL signed certificate. Choose between:
    • Certificate authority (CA) signed certificate. This certificate is the preferred choice. For more information, see Sensor Gateway Certificates.
    • Self-signed certificate. This certificate requires pushing these certificates into the trust store of each sensor workload. For more information, see Sensor Gateway Certificates.
    Note: You need the private key for the certificate you are using.
  • If you have a CA-signed certificate or an internal certificate that has an Online Certificate Status Protocol (OCSP) responder, you might have to provision the entire certificate chain. The Sensor Gateway uses the certificate and its chain to get the OCSP response and staple it with every request. This ensures that the sensors do not reach out to the OCSP responders directly.

    Generate the Certificate Chain file by using any online service that offers a certificate chain composition. For more information, see Create a Certificate Chain File.

  • Acquire a Static IP for each Sensor Gateway server.
  • Reserve a DNS entry. For example, sensorgateway.company.com

    To install the Sensor Gateway in your environment, map its DNS to the IP that you previously allocated to the server.

    Use the DNS mapping to IP if you plan to configure your Sensor Gateway with its FQDN.
    Note: You can use just an IP and create the certificates with the IP being the same as the CN.
  • Verify that sensors can reach the Sensor Gateway.
  • Verify that the Sensor Gateway has connectivity to the Internet. The Sensor Gateway must have connectivity to Carbon Black Cloud. However, it might need to reach out to CA providers to get Online Certificate Status Protocol (OCSP) responses for the validity of its digital certificate.
  • To have the Sensor Gateway running behind a proxy, ensure you configure the Docker client to use proxy. For more information, see Configure Docker to use a proxy server.
  • If you use the proxy feature of the Sensor Gateway and there is a proxy server that sits between the Sensor Gateway and Carbon Black Cloud, you must ensure that the Carbon Black Cloud URLs are accessible through the proxy. If you set up mirrors for the Update servers, verify that they are reachable through the proxy as well.
  • Verify that your environment is configured with the necessary network settings. For details, see Configure a Firewall.
  • Verify that your firewall setup does not block projects.registry.vmware.com on port 443.

Procedure

  1. Log in to your server as root and ensure OpenSSL is installed.
    If not already, install OpenSSL using a system package manager.
  2. Prepare the certificates.
    1. Name the SSL Certificate file as sgw_certificate.pem.
    2. Name the SSL Certificate Private Key file as sgw_key.pem.
    3. (Omit this step if you are using a self-signed certificate.) Name the SSL Certificate Chain file as sgw_chain.pem.
    4. (Omit this step if you are using a self-signed certificate.) To verify if the certificate is valid, run the command: 
      openssl verify -CAfile sgw_chain.pem sgw_certificate.pem
      If the certificate is valid, you get the response: sgw_certificate.pem: OK
    5. Create /data folder at the root level and make the following subfolders on your server.
      • /data/certs - Stores certificates, keys, and optionally, certificate chain file.
      • /data/logs - Stores the logs generated at runtime.
    6. Copy the certificate, the private key, and the chain file in the /data/certs directory.
      Note: You do not need the chain file if you are using self-signed certificate.
  3. Download the script, which installs and sets up the Sensor Gateway on each server individually. 
    wget https://prod.cwp.carbonblack.io/sgw/installer/linux/1.2.0/sensor_gw_install.zip
  4. Unzip the Sensor Gateway installation zip file in the location where you downloaded it. Locate the shell script sensor_gw_install.sh.
  5. By default, the shell script is not executable. Run the following command to make the script executable. 
    chmod +x sensor_gw_install.sh
  6. Acquire the Sensor Gateway registration API key.
    For details, see Provision Sensor Gateway API Key.

What to do next

Install the Sensor Gateway.