I have now re-installed Splunk on both my search head and indexer to enable FIPS, and after a maddening week of frustration, finally have them talking to each other again. Now I need to get my forwarders secured with their own certificates. Does the same splunk-launch.conf edit to enable FIPS apply to the forwarders like it does to the indexer and search head?
The documentation relating to the FIPS implementation is frustratingly sparse.
Yes, you should be able to use the exact same process (re-install, make launch.conf edit) on your forwarders to turn on FIPs and get everything communicating properly.
And thanks for pointing out that the FIPs docs could use a little improvement, I'll get to work on those improvements.
Thanks!
It's safe to assume it does. Forwarders as just scaled down versions of Splunk so the configurations are mostly universal.
Yes, you should be able to use the exact same process (re-install, make launch.conf edit) on your forwarders to turn on FIPs and get everything communicating properly.
And thanks for pointing out that the FIPs docs could use a little improvement, I'll get to work on those improvements.
Thanks!
To the best of my knowledge, you must reinstall. I'm not aware of anyone else having success otherwise, so it remains our best practice for the moment. I'm glad you were able to get it up and running successfully! For purposes of improving the docs, I'll definitely investigate some of the information you've provided.
Glad it worked, thanks for letting us know!
I re-installed one of my forwarders, enabled FIPS and everything is fine. On a second, instead of re-installing, I just tried enabling FIPS, adding my certs and restarting the service, and I can't tell any difference. By all appearances, it is now using FIPS, is talking to my deployment server and is forwarding to my indexer.
Does enabling FIPS require a re-install on a forwarder, or can it simply be enabled? I guess I'm curious as to what the change is that requires the reinstall when enabling FIPS. Need I even have re-installed Splunk on my search-head and indexer? The documentation just says it is necessary, but doesn't give any rationale.
Do the certs on the indexer need to be copied to the forwarder, or does the forwarder need its own?