Migrate Sensor Proxy
Migrating Sensor Proxy to a new machine is simple and does not require you to relink sensors. You can migrate Sensor Proxy by copying the certificates from the existing Sensor Proxy installation to the new server and linking the new Sensor Proxy to Tenable Vulnerability Management or Tenable Security Center.
Follow the steps in this topic to migrate Sensor Proxy to a new machine.
To migrate Sensor Proxy:
-
Perform the following steps on your current Sensor Proxy machine:
-
Back up the existing certificates by running the following command:
Copy# tar -C /usr/local -cvzf sensorproxybackup.tgz etc/nginx/ssl/
-
(Optional) Verify that the correct files have been archived by running the following command:
Copy# tar -tvzf sensorproxybackup.tgz
drwxr-xr-x root/root 0 2023-04-18 21:48 etc/nginx/ssl/
-rw------- root/root 3247 2023-02-13 15:29 etc/nginx/ssl/ca.key
-rw-rw-rw- root/root 2000 2023-02-13 15:29 etc/nginx/ssl/ca.pem
-rw------- root/root 3243 2023-02-13 15:29 etc/nginx/ssl/cert.key
-rw-rw-rw- root/root 1976 2023-02-13 15:29 etc/nginx/ssl/cert.pem -
Copy the backup archive to a safe location or to the new Sensor Proxy machine by running the following command:
Copy# scp ~/sensorproxy.tgz <user>@<ip address>:
-
Do one of the following:
-
If your sensors are linked via IP address:
Decommission the existing Sensor Proxy. Once the existing Sensor Proxy machine is decommissioned, start the new Sensor Proxy machine with the same IP address as the previous Sensor Proxy machine. Step 2f is optional.
-
If your sensors are linked via hostname:
Step 2f is required. Continue to step 2a.
-
-
-
Perform the following steps on the new Sensor Proxy machine:
-
(This step is not required if the system is a Tenable Core + Sensor Proxy system that already has Sensor Proxy installed and running.) Install the latest Sensor Proxy rpm from https://www.tenable.com/downloads/sensor-proxy by running one of the following commands:
-
Copy the backup file to the new Sensor Proxy machine by running the following command:
Copy# scp sensorproxy.tgz <user>@<ip address>:
The new server must have the same IP as the old server if sensors are linked to Sensor Proxy using IP addresses.
-
Extract the backup archive on the new machine by running the following command:
Copy# tar xvzf sensorproxybackup.tgz -C /usr/local/
-
Link Sensor Proxy to either Tenable Vulnerability Management or Tenable Security Center:
Link to Tenable Vulnerability Management
Link Sensor Proxy to Tenable Vulnerability Management by running the following command:
Copy# /opt/sensor_proxy/sbin/configure --link --key=<linking_key> --name=<name>
For key, use the Tenable Vulnerability Management linking key. For information on retrieving the linking key, see Link a Sensor in the Tenable Vulnerability Management Vulnerability Management User Guide.
Note: The --name argument is optional. If no name is provided, the name defaults to Sensor Proxy.
Link to Tenable Security CenterLink Sensor Proxy to Tenable Security Center by running the following command:
Copy# /opt/sensor_proxy/sbin/configure --link --key=<linking_key> --host=<linking_host> --port=8837 --ca-path=</path/to/security_center_CA> [--name=<sensor_proxy_name>]
For key, use the Tenable Security Center linking key. For ca-path, use the standard Tenable Security Center CA certificate file and path (/opt/sc/data/CA/TenableCA.crt) or, if applicable, your organization's customer certificate and path.
For information on adding Sensor Proxy to Tenable Security Center, see Sensor Proxies the Tenable Security Center User Guide.
Note: The --name argument is optional. If no name is provided, the name defaults to Sensor Proxy.
-
Enable and start the Sensor Proxy service by running the following command:
Copy# systemctl enable --now sensorproxy
-
If your sensors are linked to Sensor Proxy using a hostname, change the DNS for the hostname. Sensors connect to the new Sensor Proxy machine as DNS changes propogate.
-
Sensors connect to the new Sensor Proxy instance as they check for jobs and updates.