topic Re: Using SSL with connection between forwarders and AWS ACM (certificate MAanger) in Security

Using SSL with connection between forwarders and AWS ACM (certificate MAanger)

aamer86 — Sun, 26 Feb 2023 08:58:10 GMT

Hi,

We have a set of indexers with no public IPs behind AWS NLB
We would like to use AWS certificates that terminate on the NLB

We have the ACM pem certifcate and the CA (you cant get the private key)
We tested it using openSSL and it is working using the CAfile

How can I configure my UF to use SSL with only the destination pem and CAfile

Thanks

Re: Using SSL with connection between forwarders and AWS ACM (certificate MAanger)

tt-nexteng — Tue, 14 Jan 2025 14:46:55 GMT

Have you already solved this issue?
I also want to do the same, but I encountered the following problem:
Active forwards:
None
Configured but inactive forwards:
mysubdomain:443

Re: Using SSL with connection between forwarders and AWS ACM (certificate MAanger)

isoutamo — Tue, 14 Jan 2025 17:25:02 GMT

Splunk forwarders didn’t support NLB between forwarders and indexers. Only place where you could use it is with HEC.

Re: Using SSL with connection between forwarders and AWS ACM (certificate MAanger)

tt-nexteng — Wed, 22 Jan 2025 06:09:42 GMT

Thank you for your reply.

Could you tell me how to set up indexes in a private subnet without using an NLB, and how to configure forwards?

Re: Using SSL with connection between forwarders and AWS ACM (certificate MAanger)

isoutamo — Wed, 22 Jan 2025 07:49:13 GMT

Splunk have internal LB in UF/HF -> HF/Indexers. There are two options to use it. If you have static IPs on your indexers then you can just create outputs.conf which contains those. But if you have not so static IP on indexers (those are e.g. in cloud, or you need more indexers frequently) then you could use indexer discovery feature. This keeps list of indexers on master node and UFs/HFs is asking it and then those can modify their output targets on fly.

https://docs.splunk.com/Documentation/Splunk/latest/Indexer/indexerdiscovery

Re: Using SSL with connection between forwarders and AWS ACM (certificate MAanger)

tt-nexteng — Wed, 22 Jan 2025 09:41:46 GMT

Thank you for providing the link. Let me confirm once again.

My client requires all nodes to be kept in a private subnet.

So, by using indexer discovery, I can place both the manager node and peer nodes in the private subnet, then set up an NLB in the public subnet in front of the manager node, with TLS communication encryption enabled.

In this case, in the forwarders’ configuration, I only need to set this NLB to the manager_uri, correct?

Re: Using SSL with connection between forwarders and AWS ACM (certificate MAanger)

isoutamo — Wed, 22 Jan 2025 15:54:08 GMT

You should set pair of HF or UF as a gateway / “NLB” between the source client in public subnet and cluster peers in private network. Those gateway nodes use indexer discovery towards splunk indexers in private subnet. The they have static IPs towards public subnet and they received events from source systems. Then in source systems are static outputs.conf where are static ips of those gateway nodes. There is no direct connections between source systems and splunk indexers or manager node. NLB cannot be e.g. F5, AWS NLB or any similar real load balancer.

Re: Using SSL with connection between forwarders and AWS ACM (certificate MAanger)

tt-nexteng — Mon, 03 Feb 2025 12:03:20 GMT

Thank you very much.