Getting Data In

Can I use the Microsoft Cert Store for Universal Forwarder SSL Communication?

sniderwj
Explorer

I am working on getting Splunk secured with certificates. We have a requirement to ensure the integrity of our audit logs as they are transported to Splunk. This would mean that I need to use SSL/TLS between the Forwarders and the Indexers.

When I read the SSL documentation, it wants a cert file and a password in the config settings for each forwarder. This might work for a few forwarders, but we are planning on doing 1,000+ Windows clients, so this would become a management issue. I know I can force the clients to request certificates from our Enterprise CA through GPOs without much problem.

Is there a way to tell the Universal Forwarders to use the machine/host certificates without having to manually set the certificate settings or even using one certificate for all the UFs?

Labels (1)

opoplawski
Explorer

It would be very nice if splunk could use the machine certificate in the store.

0 Karma

isoutamo
SplunkTrust
SplunkTrust
You could always create a request into ideas.splunk.com or vote for it if there is already one.

opoplawski
Explorer
0 Karma

hettervik
Builder

Hi. We seem to have the same problem. I've tried looking up in the docs and google, but nothing. Did you ever find a solution to this?

0 Karma

sniderwj
Explorer

Yeah.. basically we made a forwarder certificate that we push out with a deployment app with a password in the clear.

https://conf.splunk.com/session/2015/conf2015_DWaddle_DefensePointSecurity_deploying_SplunkSSLBestPr...

This conf presentation was what we based our final solution from.

0 Karma

jmallorquin
Builder

Hi,

The way to configure the SSL configuration is using the indexer certs. So you only need to deploy the certs of all of your indexer to all of your forwarder.

You have to configure inputs.conf in the indexer and outputs.conf in the forwarders.
Check out this link
https://wiki.splunk.com/Community:Splunk2Splunk_SSL_3rdPartyCA

Hope i help you

0 Karma

sniderwj
Explorer

Why are we using the Indexer certificate on the forwarders? Doing this raises a few issues for me:

  • The Forwarders are presenting the indexer's certificate. They aren't the indexer. Shouldn't certificates be used by the host/user/principal that the certificate is intended for? If I'm using the indexer certificate I can' claim non-repudiation of the events from that forwarder.
  • Password Management: Pushing out the indexer's private key password is a bit scary to me. That key shouldn't be pushed around. If I manually set the password and restart the splunkd service the password will be encrypted. If I put the config files in the deployment-apps directory on my deployment server that password won't be encrypted.

Is the local Microsoft Certificate Store not an option?

Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...