Configure Your Linux Server for Sensor Gateway Installation

To set up a Linux server for the Sensor Gateway installation, follow this procedure.

Prerequisites

Provision an SSL signed certificate. Choose between:
- Certificate authority (CA) signed certificate. This certificate is the preferred choice.
- Self-signed certificate. This certificate requires pushing these certificates into the trust store of each sensor workload.
- See Sensor Gateway Certificates.
Note: You need the private key for the certificate.
If you have a CA-signed certificate or an internal certificate that has an Online Certificate Status Protocol (OCSP) responder, you might have to provision the entire certificate chain. The Sensor Gateway uses the certificate and its chain to get the OCSP response and staple it with every request. This ensures that the sensors do not reach out to the OCSP responders directly.
Generate the Certificate Chain file by using any online service that offers a certificate chain composition. See Create a Certificate Chain File.
Acquire a Static IP for each Sensor Gateway server.
Reserve a DNS entry. For example, sensorgateway.example.com
To install the Sensor Gateway in your environment, map its DNS to the IP address that you allocated to the server.

Use the DNS mapping to IP address to configure the Sensor Gateway with its FQDN.
Note: You can use an IP address and create the certificates with the IP address being the same as the CN.
Verify that sensors can reach the Sensor Gateway.
Verify that the Sensor Gateway has connectivity to the Internet. The Sensor Gateway must have connectivity to Carbon Black Cloud. However, the Sensor Gateway might need to reach out to CA providers to get Online Certificate Status Protocol (OCSP) responses for the validity of its digital certificate.
To run the Sensor Gateway behind a proxy, configure the Docker client to use the proxy. See Configure Docker to use a proxy server.
If you use the proxy feature of the Sensor Gateway and there is a proxy server that sits between the Sensor Gateway and Carbon Black Cloud, make sure that the Carbon Black Cloud URLs are accessible through the proxy.
Verify that your environment is configured with the necessary network settings. See Configure a Firewall.
Verify that your firewall setup does not block projects.registry.vmware.com on port 443.

Procedure

Log in to your Linux server as root and confirm that OpenSSL is installed.
If OpenSSL is not already installed, use a system package manager to install OpenSSL.
Prepare the certificates:
1. Name the SSL Certificate file to be sgw_certificate.pem.
2. Name the SSL Certificate Private Key file to be sgw_key.pem.
3. (Omit this step if you are using a self-signed certificate.) Name the SSL Certificate Chain file to be sgw_chain.pem.
4. (Omit this step if you are using a self-signed certificate.) To verify the certificate validity, run the following command:
```
openssl verify -CAfile sgw_chain.pem sgw_certificate.pem
```
  If the certificate is valid, the returned response is: sgw_certificate.pem: OK
5. Create a /data folder at the root level and make the following subfolders on the server.
  - /data/certs - Stores certificates, keys, and optionally, certificate chain file.
  - /data/logs - Stores the logs generated at runtime.
6. Copy the certificate, the private key, and the chain file to the /data/certs directory.
  
  Note: You do not need the chain file if you are using a self-signed certificate.

Download the script that installs and sets up Sensor Gateway on the Linux server.

wget https://prod.cwp.carbonblack.io/sgw/installer/linux/1.2.0/sensor_gw_install.zip

Unzip the Sensor Gateway installation zip file. Locate the shell script sensor_gw_install.sh.
By default, the shell script is not executable. Run the following command to make the script executable:
```
chmod +x sensor_gw_install.sh
```
Acquire the Sensor Gateway registration API key.
See Provision Sensor Gateway API Key.

What to do next

Install the Sensor Gateway.