To enable Redis network encryption in a Carbon Black EDR environment, perform the following procedure.

In the following procedure, the files are generated and located in /etc/cb/certs.

Prerequisites

  • Install the Carbon Black EDR server and verify that it is working.
  • Generate signed certificates for Redis to use for encryption.
  • Obtain the CA certificate for the signer.
  • Select a secure password for authentication.

Procedure

  1. Stop all services by running the following command:
    For standalone systems:
    /usr/share/cb/cbservice cb-enterprise stop
    For clustered systems:
    /usr/share/cb/cbcluster stop
  2. Add the following lines to /etc/cb/cb.conf on each system in the cluster (primary and minions):
    RedisUseSSL=True
    RedisPort=6379
    RedisLocalPort=6378
    SSLRedisCertFile=/etc/cb/certs/cb-redis.crt
    SSLRedisKeyFile=/etc/cb/certs/cb-redis.key
    SSLRedisCACertFile=/etc/cb/certs/cb-redis-ca.crt
    RedisUsePassword=True
    RedisPassword=<insert password here>
    Note: cb.conf permissions are restricted to root user and the Carbon Black group to protect sensitive configuration information.

    For more information about cb.conf, see the VMware Carbon Black EDR Server Configuration Guide.

  3. Make sure that all minions have a Redis CA certificate and a client certificate.
  4. Restart the cluster by running the following command:
    For standalone systems:
    /usr/share/cb/cbservice cb-enterprise start
    For clustered systems:
    /usr/share/cb/cbcluster start