Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Bootstrapping a secure management configuration with company certificates

afx
Contributor
‎05-06-2019 05:46 AM

Distributing certificates to forwarders for the indexer configuration works fine in Splunk.
But what about the management communication?
It seems to be a chicken and egg problem.
Can this be done via the deployment mechanism, sending the forwarders appropriate configuration and certificates?
But then as soon as that configuration is active, the deployment server will no longer accept the connections until that is switched as well. Or is there a fallback mechanism to internal certs that allows a smooth transition?
thx
afx

Reply

brettwilliams
Path Finder
‎10-14-2020 02:24 PM

I've run into this myself...  if a Splunk instance starts, and there is no SSL configuration anywhere, Splunk creates its own in etc/system/local.  Which can't be overridden.  I could conjure up something creative on the Linux forwarders...  but Windows, yeah, right...  not gonna happen.

For the forwarders that I control, this is easy to fix.  But for the forwarders I don't control, I'm just a few mouse clicks away from doom when I'm making changes in Forwarder Management.  If I accidentally pull the 8089 certs, I have to go get many, many people to touch every single forwarder to manually fix it.  Maybe we shouldn't distribute SSL certs for 8089 via deployment server.  But without any other options, at least in my enterprise, I don't see any alternatives.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...