topic Re: Multiple CAs in cluster? in Security

Multiple CAs in cluster?

PickleRick — Thu, 25 Feb 2021 12:52:17 GMT

Hi There.

I know I can use multiple inputs/outputs with separate CAs and even certs to permit different peers to inject data into the Splunk installation.

But I have a different situation. I have a cluster installation (let's say 4 indexers and 2 search-heads) which are configured to use (RootCA->Intermediate1) chain for cert verification and the servers just present the "final" cert without certification chain. I don't know why it was done this way instead of properly configuring just RootCA for verification and configuring the components to present full certification chain - I "inherited" this installation so it was already like that when I got this.

I need to add another indexer to the installation. The problem is that now we have another Intermediate2 CA and I'm getting new certs from that new Intermediate2 CA (which is a subordinate of the same RootCA as the Intermediate1). Is there any reasonable way to avoid full reconfiguration of CAs? Can I provide Splunk - for example - with a set of two different CAs with which it would try to authenticate peer?

I know I should just reconfigure all members to "properly" use RootCA but it's a big operation and requires full system downtime. If I could just reconfigure the system piece-by-piece, that would be great.

Re: Multiple CAs in cluster?

splunkyj — Fri, 26 Feb 2021 23:12:33 GMT

I just replaced our system to use third party certificates. If your question is just regarding root CA which is defined in:

etc/system/local/server.conf

[sslConfig]

sslRootCAPath = /opt/splunk/etc/auth/foldername_root_CA/name_Root_CA.pem

We used the same path for all of our Root CA, for all our instances. If you go to that path, in this example /opt/splunk/etc/auth/foldername_root_CA/name_Root_CA.pem> open up name_Root_CA.pem. Copy the new Root CA that has been converted to .pem, and paste it to name_Root_CA.pem by adding it. You're not replacing the whole thing, just adding the new CA.

Copy from -----BEGIN CERTIFICATE-----, all the way to -----BEGIN CERTIFICATE-----

Your new server certificates, however will need the whole certificate chain in the .pem format. You can find the path in server.conf as well :

etc/system/local/server.conf

[sslConfig]

serverCert = $SPLUNK_HOME/etc/auth/servername_or_whatever/fqdn_cert.pem

The instructions to prepare your certificates can be found here: https://docs.splunk.com/Documentation/Splunk/8.0.4/Security/HowtoprepareyoursignedcertificatesforSplunk

Re: Multiple CAs in cluster?

splunkyj — Fri, 26 Feb 2021 23:14:05 GMT

Correction:

Copy from -----BEGIN CERTIFICATE-----, all the way to -----END CERTIFICATE-----

Re: Multiple CAs in cluster?

PickleRick — Sat, 27 Feb 2021 16:44:58 GMT

Hmm...

Do you mean that I can put multiple CA certs in the pem file configured as sslRootCAPath? And all will be checked for validation of the client's cert? That'd be great.

Re: Multiple CAs in cluster?

splunkyj — Mon, 01 Mar 2021 14:32:17 GMT

That is correct. To make it easier for you to know what has been concatenated together without having to use openssl or open each one to compare in the future - you can place all the individual root CA's in the same folder as well - for reference only: and only point to that one .pem file in server.conf :

Hope that helps.

Re: Multiple CAs in cluster?

PickleRick — Tue, 02 Mar 2021 08:05:42 GMT

Thank you. That's the vital piece of information I've been missing. After fifth or sixth reading I finally noticed that the docs say "one or more CA certificates".

It does work indeed!