topic Re: Encryption from Forwarder to Indexer in Security

Encryption from Forwarder to Indexer

Stefanie — Tue, 14 Dec 2021 14:24:38 GMT

We have two sites with two indexers per site. A total of four indexers.

I have to set up certificate-based encryption from all forwarders to Indexers.

What is the easiest way to go about setting up certificates? Can I generate one certificate for ALL forwarders and another certificate for ALL indexers ?

Any assistance is appreciated!

Re: Encryption from Forwarder to Indexer

richgalloway — Tue, 14 Dec 2021 22:01:37 GMT

It's common practice to have a common certificate for all forwarders and individual certificates for each indexer.

Re: Encryption from Forwarder to Indexer

Stefanie — Wed, 15 Dec 2021 16:54:52 GMT

Thank you. How would I generate the common certificate to be used by all forwarders?

I've read this article: https://docs.splunk.com/Documentation/Splunk/8.2.3/Security/Howtogetthird-partycertificates

I assume for the Fowarders I would not enter a common name, correct?

Re: Encryption from Forwarder to Indexer

richgalloway — Wed, 15 Dec 2021 18:50:34 GMT

That is correct.

Re: Encryption from Forwarder to Indexer

PickleRick — Wed, 15 Dec 2021 20:51:57 GMT

Depends on what you want to achieve. Technically, you could even use the same crypto material for all servers. But that's against any reasonable good security practices.

As a rule of thumb every subject should use its own certificate. This way you have control over authentication and authorization. Especially if we're talking about uf's which might be installed in various environments. If you installed them all with the same cert, compromise of the key from one forwarder would result in necessity to replace certs on all forwarders.

And yes, I know that management of several dozens or hundreds of forwarders with certificates is a huge PITA.