To set up each of your Linux servers for the Sensor Gateway installation, follow this procedure.


  • Provision an SSL signed certificate.
    • CA-signed certificate is preferred. For more information, see Sensor Gateway Certificates.
    • Self-signed certificate. However, it requires pushing these certificates into the trust store of each sensor workload.
    • Private key.
  • If you have a CA-signed certificate or an internal certificate that has an Online Certificate Status Protocol (OCSP) responder, you may have to provision the entire certificate chain. The Sensor Gateway uses the certificate and its chain to get the OCSP response and staple it with every request. This ensures that the sensors do not reach out to the OCSP responders directly.

    You can generate the Certificate Chain file by using any online service that offers a certificate chain composition. For more information, see Create a Certificate Chain File.

  • Acquire a Static IP for each Sensor Gateway server.
  • Reserve a DNS entry. For example,

    To install the Sensor Gateway in your environment, map its DNS to the IP that you previously allocated to the server.

    Use the DNS mapping to IP if you plan to configure your Sensor Gateway with its FQDN.

  • Ensure that sensors can reach the Sensor Gateway.
  • Ensure that port 443 is open on the Sensor Gateway.
  • Ensure that the Sensor Gateway has connectivity to the Internet. The Sensor Gateway must have connectivity to Carbon Black Cloud. However, it might need to reach out to CA providers to get Online Certificate Status Protocol (OCSP) responses for the validity of its digital certificate.


  1. Log into your server and ensure OpenSSL is installed.
    If not already, install OpenSSL using a system package manager.
  2. Prepare the certificates.
    1. Name the SSL Certificate file as sgw_certificate.pem.
    2. Name the SSL Certificate Private Key file as sgw_key.pem.
    3. (Omit this step if you are using a self-signed certificate.) Name the SSL Certificate Chain file as sgw_chain.pem.
    4. (Omit this step if you are using a self-signed certificate.) To verify if the certificate is valid, run the command:
      openssl verify -CAfile sgw_chain.pem sgw_certificate.pem
      If the certificate is valid, you get the response: sgw_certificate.pem: OK
    5. Create /data folder at the root level and make the following subfolders on your server.
      • /data/certs - Stores certificates, keys, and optionally, certificate chain file.
      • /data/logs - Stores the logs generated at runtime.
    6. Copy the certificate, the private key, and the chain file in the /data/certs directory.
      Note: You do not need the chain file if you are using self-signed certificate.
  3. Download the installation script
    The script installs and sets up the Sensor Gateway on each server individually.
  4. Acquire the Sensor Gateway registration key.
    1. Log into the Carbon Black Cloud console with your account credentials.
    2. Navigate to the Settings > API Access page and click Add API Key.
    3. Enter a name and select Custom from the Access Level type drop-down menu.
    4. Select Sensor Gateway from the Custom Access Level drop-down menu.
    5. Save the API Secret Key and the API ID.
      You are prompted to use them when installing the Sensor Gateway.
    Setting the access level for a Sensor Gateway instance.

What to do next

Install the Sensor Gateway.