You can host the Sensor Gateway on a Linux server as a container image. The Linux server must have a container running capability. To install more than one Sensor Gateway server, you must repeat the following steps for every Sensor Gateway server.


  • Verify that port 443 is open on the Sensor Gateway.
  • To have the Sensor Gateway running behind a proxy, configure the Docker client to use proxy. See Configure Docker to use a proxy server.


  1. Install Docker.
    For information about installing a Docker engine on a Sensor Gateway-supported the Linux distribution, see Install Docker Engine on CentOS, Install Docker Engine on RHEL, or Install Docker Engine on Ubuntu.
  2. To make the installation script executable, run the following command:
    chmod +x
  3. Run the installation script.
  4. Provide the following input:
    Option Description Example
    API ID

    The API ID and API Secret Key generated in the Carbon Black Cloud console allow an authenticated communication between the Sensor Gateway and the Carbon Black Cloud.

    Both the API ID and API Secret Key are generated in a pair. If there is a mismatch, the Carbon Black Cloud will reject any communication from the Sensor Gateway.


    You must generate new API ID and API Secret Key for every Sensor Gateway.

    API Secret Key 8UE3SHE475T2LZLJNJ2M98TK
    Carbon Black Cloud URL

    This URL represents the environment where your services are hosted. Carbon Black Cloud is hosted in several regions. For a list of Carbon Black Cloud environments, see Carbon Black Cloud API Access.
    Note: The value must begin with https://.
    Sensor Gateway entry point URL (https://<sensor-gateway-node-fqdn>)

    An entry point defines how the sensors address the Sensor Gateway.

    The entry point must match the following:

    • If you use a CA-signed or self-signed certificate, this value should be the same as the CN given to the certificate.
    • The IP address or the FQDN of the machine must be the same as the CN of the certificate.

    This example assumes that the CN of the certificate is


    Because the Sensor Gateway services are hosted using SSL, the value must begin with https://.

    Proxy type
    • None: This is the default option.
    • HTTPS or HTTP: Choose one of the following options:
      • Proxy Host: Provide the FQDN or IP address of the Proxy Host.
      • Proxy Port: Provide the port where the Proxy server receives requests.
    Optional: Volume mount directory

    The Sensor Gateway uses a fixed directory to look for certificates and to store logs.

    If you do not provide a value, the default location is a /data directory. To store your certificates or logs in a different directory, provide an absolute path.

    If you have a different folder, create certs and logs folders in this path. Make sure that the certificate, private key, and optional certificate chain are stored in the certs folder before you proceed.

    Because the install script executes with root permissions, by default these directories have root permissions as owner and group.

    Optional: Port where Sensor Gateway runs By default the Sensor Gateway services are hosted over SSL on port 443. You can specify a different port. By default, Sensor Gateway runs on port 443.
    Optional: Certificate private key passphrase

    We recommend that you provide a password when you generate a certificate to protect the private key. When prompted during the Sensor Gateway installation, provide this password.

    The Sensor Gateway uses the same password to use the certificate and encrypt the communication between the sensor and itself.

    Provide a password if your sgw_key.pem is password-protected.


After the registration completes, the Sensor Gateway displays as connected in the Settings > API Access > Sensor Gateways page of the Carbon Black Cloud console.

The Sensor Gateway name comes from the API key.