Carbon Black EDR Server version 7.8.0+ enforces the use of system-provided FIPS-compliant OpenSSL 1.1.1+ with OpenResty, built with Nginx 1.21.4+, on EL 8 systems. Older Carbon Black EDR packages included OpenResty version 1.21.4.1-1a, which required the OpenResty-OpenSSL package; this is a custom package built by Carbon Black.

With the release of Carbon Black EDR Server 7.8.0, this dependency is removed and a new OpenResty version 1.21.4.1-1b is packaged. The updated version requires the use of the system-provided OpenSSL 1.1.1+. However, a direct upgrade to the new OpenResty version can result in a complete failure of sensor-server communication due to the incompatibility of the old sensor client and server certificates.

Carbon Black EDR recommends the following workflow:

  1. Scan your certificates. See Scanning Certificates.

    The scan results output table should be similar to the following table. The Status field for all certificates is Pass. The Reason and Remedy columns are N/A; therefore, they are not shown here.

    Table 1. Scanning Carbon Black EDR Issued and User-configured Certificates - Passed
    Name Location
    Alliance /etc/cb/certs/carbonblack-alliance-client.crt
    Legacy /etc/cb/certs/cb-server.crt
    Client-CA /etc/cb/certs/cb-client-ca.crt
    Custom Carbon Black EDR database
    UI /etc/cb/certs/cb-server.crt
    Redis-CA /etc/cb/certs/cb-redis-ca.crt
    Redis /etc/cb/certs/cb-redis.crt
  2. Regenerate certificates. See Regenerating Certificates.
  3. Wait for the server and sensors to accept the regenerated certificates.
    Caution: It is critical to make sure that all online sensors are continuously checking in with the server before you proceed with the OpenResty upgrade.

    You must also address the status of sensors that were offline during the Client CA regeneration process (Client Certificate Authority, Step 6).

    Failure to take these steps can prevent affected sensors from successfully checking in and sending data to the server after the OpenResty upgrade.

  4. Upgrade OpenResty to version 1.21.4.1-1b.

See Upgrade OpenResty to Version 1.21.14.1-1b for details.