If you are currently using Carbon Black EDR on RHEL 7 in FIPS mode and plan to upgrade to RHEL 8, this migration path provides guidance on how to migrate your FIPS-enabled deployment to RHEL 8 FIPS while maintaining the integrity and security of your environment.
Prerequisites
- Contact Carbon Black Technical Support and request a FIPS-compatible license file.
- To prevent sensor communication failures, make sure that the Server URL in all sensor groups use the server's hostname if you expect the IP addresses of the nodes to change.
- Prepare for downtime. The process can take significant time because it involves both an operating system and Carbon Black EDR upgrade. The time required is also impacted by the number of nodes to upgrade in a clustered environment.
Procedure
- Upgrade the Carbon Black EDR Server to 7.8.0. See Upgrading a Server.
- Prepare the Carbon Black EDR for an operating system upgrade.
- Back up the data on your Carbon Black EDR Server. See Back up a Server.
- Stop the
cb-enterprise
services:
Standalone:
sudo service cb-enterprise stop
Cluster:
sudo /usr/share/cb/cbcluster stop
- Remove
cb-enterprise
by using yum. This action removes packages and libraries but retains configuration and other data.
yum autoremove cb-enterprise
- Upgrade RHEL 7 to RHEL 8.
- Disable FIPS on RHEL 7. This is a RHEL-recommended prerequisite.
Note: If you are following the upgrade instructions from
Disable FIPS on RHEL 7 (external link), Step 4 might differ depending on your setup configuration. Step 4 instructs you to remove the
fips=1
argument from the kernel command line; the second command in that instruction adds a space in the substitute pattern. Review the
/etc/default/grub file to determine whether the entry is
'fips=1'
or
' fips=1'
, and adjust the command accordingly.
The command is either:
[[ -f /etc/default/grub ]] && sed -i 's/ fips=1//' /etc/default/grub
OR
[[ -f /etc/default/grub ]] && sed -i 's/fips=1//' /etc/default/grub
- Perform the upgrade as per RHEL documentation: Upgrading from RHEL 7 to RHEL 8 (external link).
Caution: Do not perform the following steps in the RHEL documentation:
- Do not enable FIPS mode after upgrading to RHEL 8 because you will enable it in Step 9 (post-OpenSSL migration).
- Do not set system cryptographic policy to
FUTURE
; keep this policy as DEFAULT
.
- Do not remove the
carbon-black-release-<version>
RPM when you perform post-RHEL 8 upgrade tasks. The instructions state to remove this RPM when you identify the RHEL 7 packages to remove. The following command identifies all RHEL 7 packages:
‘rpm -qa | grep -e '\.el[67]' | grep -vE '^(gpg-pubkey|libmodulemd|katello-ca-consumer)' | sort’
Carbon Black EDR recommends that you remove the Carbon Black EDR RPM license from the removal list.
- Reinstall Carbon Black EDR Server using RHEL 8.
- Run the following command:
sudo yum module disable postgresql redis python38 python39
- Run the following command:
sudo yum install cb-enterprise
If prompted, install the CentOS GPG key.
- If your environment requires outbound firewall exceptions, make sure that the exceptions documented in Firewall and Connectivity Requirements are followed.
- Review the repo files at /etc/yum_repos.d to make sure that the RHEL 8 Base repository is enabled.
Note: Yum supports web proxies. However,
Carbon Black EDR cannot use Yum together with NTLM-authenticated web proxies.
- Verify and apply all SELinux mismatches:
- sudo /usr/share/cb/cbcheck selinux -m
- sudo /usr/share/cb/cbcheck selinux -a
- If Carbon Black EDR manages your firewall, verify and apply all required firewell rules:
- sudo /usr/share/cb/cbcheck firewall -l
- sudo /usr/share/cb/cbcheck firewall -a
Note: If you are working in a clustered environment, perform Steps 1-4 on all nodes.
- Start the Carbon Black EDR server.
For standalone systems:
/usr/share/cb/cbservice cb-enterprise start
For clustered systems:
/usr/share/cb/cbcluster start
- Verify that all relevant sensors are checking in to the server and that pre-upgrade operations are restored.
- Follow the instructions in Migration from Legacy to System OpenSSL on EL 8.
Important: This step is essential to make sure that the certificates used by
Carbon Black EDR are compatible with RHEL 8 FIPS mode.
- Verify that all relevant sensors are checking in to the server.
- Enable FIPS mode on all nodes at the OS level. See Enable FIPS Mode on a RHEL 8 Machine.
Note: Do not reboot the machine until after you have performed Step 10.
- Enable FIPS in Solr. See Solr FIPS.
Note: If you have a cluster deployment, perform this step on all nodes. If you have already added a node as a non-root user, you must update the
sudoers file. See
Required User Privileges.