To enable Redis network encryption in a Carbon Black EDR environment, perform the following procedure.
In the following procedure, the files are generated and located in /etc/cb/certs.
Prerequisites
- Install the Carbon Black EDR server and verify that it is working.
- Generate signed certificates for Redis to use for encryption.
- Obtain the CA certificate for the signer.
- Select a secure password for authentication.
Procedure
- Stop all services by running the following command:
For standalone systems:
/usr/share/cb/cbservice cb-enterprise stop
For clustered systems:
/usr/share/cb/cbcluster stop
- Add the following lines to /etc/cb/cb.conf on each system in the cluster (primary and minions):
RedisUseSSL=True
RedisPort=6379
RedisLocalPort=6378
SSLRedisCertFile=/etc/cb/certs/cb-redis.crt
SSLRedisKeyFile=/etc/cb/certs/cb-redis.key
SSLRedisCACertFile=/etc/cb/certs/cb-redis-ca.crt
RedisUsePassword=True
RedisPassword=<insert password here>
Note:
cb.conf permissions are restricted to root user and the Carbon Black group to protect sensitive configuration information.
For more information about cb.conf, see the Carbon Black EDR Server Configuration Guide.
- Make sure that all minions have a Redis CA certificate and a client certificate.
- Restart the cluster by running the following command:
For standalone systems:
/usr/share/cb/cbservice cb-enterprise start
For clustered systems:
/usr/share/cb/cbcluster start
