To enable Redis network encryption in a Carbon Black EDR environment, perform the following procedure.
In the following procedure, the files are generated and located in /etc/cb/certs.
Prerequisites
- Install the Carbon Black EDR server and verify that it is working.
- Generate signed certificates for Redis to use for encryption.
- Obtain the CA certificate for the signer.
- Select a secure password for authentication.
Procedure
- Stop all services by running the following command:
For standalone systems:
/usr/share/cb/cbservice cb-enterprise stop
For clustered systems:
/usr/share/cb/cbcluster stop
- Add the following lines to /etc/cb/cb.conf on each system in the cluster (primary and minions):
RedisUseSSL=True
RedisPort=6379
RedisLocalPort=6378
SSLRedisCertFile=/etc/cb/certs/cb-redis.crt
SSLRedisKeyFile=/etc/cb/certs/cb-redis.key
SSLRedisCACertFile=/etc/cb/certs/cb-redis-ca.crt
RedisUsePassword=True
RedisPassword=<insert password here>
Note:
cb.conf permissions are restricted to root user and the Carbon Black group to protect sensitive configuration information.
For more information about cb.conf, see the VMware Carbon Black EDR Server Configuration Guide.
- Make sure that all minions have a Redis CA certificate and a client certificate.
- Restart the cluster by running the following command:
For standalone systems:
/usr/share/cb/cbservice cb-enterprise start
For clustered systems:
/usr/share/cb/cbcluster start
