topic Re: Indexer cluster SSL migration from default SSL to self-signed with least downtime? in Security

Indexer cluster SSL migration from default SSL to self-signed with least downtime?

inventsekar — Thu, 24 Aug 2017 04:09:58 GMT

Hi,
1. Lets assume I have around 4 cluster peers with Splunk's default SSL. To migrate from Splunk's default SSL to self-signed SSL,
can I migrate the cluster peers one by one? I mean, on an indexer cluster, can I have two sets of SSL certificates (Splunk's default SSL and my own self-signed SSL)?
2. During the migration, the deployment server should be sending the new self-signed SSL certificates to forwarders. Is this possible?
I mean, one deployment server, handling two sets of SSL certificates.

Re: Indexer cluster SSL migration from default SSL to self-signed with least downtime?

inventsekar — Fri, 25 Aug 2017 07:14:28 GMT

SSL certificates migration process is not documented at all. also i am not seeing any posts related to this topic. Wondering how !!!

Re: Indexer cluster SSL migration from default SSL to self-signed with least downtime?

esix_splunk — Fri, 25 Aug 2017 08:09:28 GMT

Theres no documented process for this, but thinking about a few different scenarios here, here's what I see as working without downtime..

General Outline--
1) Add a new splunktcp-ssl input on your indexers, via the cluster master, on a different port then your current port. E.g. 9998 instead of 9997. This should require a rolling restart to enable the config
2) Create a new app that has the new certs and outputs.conf to point to the splunktcp-ssl on 9998 on your indexer cluster
3) Use the DS to deploy this to clients, and remove the other outputs.conf

As clean up, you can validate that all of your clients are sending to the splunktcp-ssl input on your indexers. Once validated, you can disabled the the non-SSL port on the cluster, and copy the splunktcp-ssl config to 9997 with the same cert. You can then update the primary outputs.conf app on your DS and your clients will get updated and send to 9997.

Re: Indexer cluster SSL migration from default SSL to self-signed with least downtime?

inventsekar — Fri, 25 Aug 2017 08:37:51 GMT

Thanks Esix,.. any ideas and suggestions about without using the 2nd port?
on a indexer cluster, all cluster peers should have the SSL certificate(s) from same root CA, right

Re: Indexer cluster SSL migration from default SSL to self-signed with least downtime?

inventsekar — Tue, 29 Aug 2017 11:18:17 GMT

Hi All, any ideas and suggestions about without using the 2nd port please.. as you know, on production systems it would be difficult to get 2nd port opened for this task alone..
any other ideas, suggestions please..

Re: Indexer cluster SSL migration from default SSL to self-signed with least downtime?

inventsekar — Thu, 02 Nov 2017 12:12:26 GMT

Hi Esix/All,

on an indexer cluster, can I have two sets of SSL certificates (Splunk's default SSL and my own self-signed SSL)?
lets assume i have an indexer cluster with 10 indexers. can i have 8 indexers with Splunk default SSL certificates and 2 indexers with my own self signed certificates? is that possible, please suggest.

Re: Indexer cluster SSL migration from default SSL to self-signed with least downtime?

hardikJsheth — Thu, 02 Nov 2017 12:32:01 GMT

Do you want to use SSL certificates for encrypting communication between forwarder and indexer or you are referring to changing SSL certificates for Management port ?

With Splunk 6.3 and above it uses same certificates for all the nodes within indexer cluster including master node.

Re: Indexer cluster SSL migration from default SSL to self-signed with least downtime?

inventsekar — Thu, 02 Nov 2017 12:38:44 GMT

we want to use SSL certificates for encrypting communication between forwarder and indexer