Getting Data In

Can I use the Microsoft Cert Store for Universal Forwarder SSL Communication?

Explorer

I am working on getting Splunk secured with certificates. We have a requirement to ensure the integrity of our audit logs as they are transported to Splunk. This would mean that I need to use SSL/TLS between the Forwarders and the Indexers.

When I read the SSL documentation, it wants a cert file and a password in the config settings for each forwarder. This might work for a few forwarders, but we are planning on doing 1,000+ Windows clients, so this would become a management issue. I know I can force the clients to request certificates from our Enterprise CA through GPOs without much problem.

Is there a way to tell the Universal Forwarders to use the machine/host certificates without having to manually set the certificate settings or even using one certificate for all the UFs?

Labels (1)

Builder

Hi. We seem to have the same problem. I've tried looking up in the docs and google, but nothing. Did you ever find a solution to this?

0 Karma

Explorer

Yeah.. basically we made a forwarder certificate that we push out with a deployment app with a password in the clear.

https://conf.splunk.com/session/2015/conf2015_DWaddle_DefensePointSecurity_deploying_SplunkSSLBestPr...

This conf presentation was what we based our final solution from.

0 Karma

Builder

Hi,

The way to configure the SSL configuration is using the indexer certs. So you only need to deploy the certs of all of your indexer to all of your forwarder.

You have to configure inputs.conf in the indexer and outputs.conf in the forwarders.
Check out this link
https://wiki.splunk.com/Community:Splunk2Splunk_SSL_3rdPartyCA

Hope i help you

0 Karma

Explorer

Why are we using the Indexer certificate on the forwarders? Doing this raises a few issues for me:

  • The Forwarders are presenting the indexer's certificate. They aren't the indexer. Shouldn't certificates be used by the host/user/principal that the certificate is intended for? If I'm using the indexer certificate I can' claim non-repudiation of the events from that forwarder.
  • Password Management: Pushing out the indexer's private key password is a bit scary to me. That key shouldn't be pushed around. If I manually set the password and restart the splunkd service the password will be encrypted. If I put the config files in the deployment-apps directory on my deployment server that password won't be encrypted.

Is the local Microsoft Certificate Store not an option?

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!