Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Should I include indexer's 3rd party cert AND priv...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I am using the following documents for configuring an Indexer and Forwarder to utilize a 3rd party certificate for communication
Use SSL to encrypt and authenticate data from forwarders
Configuring Splunk forwarding to use SSL certificates signed by a third party Certificate Authority
However, I have one question that wasn't clarified in the document. Setting up the Indexer was fairly straight forward. I created a .pem file combining the server public certificate, server private key, Issuing CA public cert, and Root CA public cert. I then configured inputs.conf to work with the 3rd party issuing cert according to the documentation.
My question is:
On the forwarder, the documentation makes it seem as if you need to use this same .pem file (containing server public cert, private key, issuing CA cert, and Root CA cert). It seems odd to me that the private key be required for the forwarder as well. Is the private key needed in the .pem file specified in outputs.conf (on the forwarder), or is it sufficient to use all public certificates in the .pem file specified in outputs.conf.
Thanks for any assistance. I wanted to make sure before I start copying private keys...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
trross,
Yes you have to have the server's private key in the key chain where your forwarder is configured. So this should be a different private key for each server where you have a forwarder.
The reason is - This key will be used to encrypt the outgoing data FROM your forwarder client.
What you do NOT want to do is - Use the same key chain file from your Indexer. This should be a DIFFERENT key chain then the file you used on your FORWARDER. As that file would contain the private key of your Indexer, which YOU DO NOT WANT TO place on all of your forwarder client servers.
Make sense?
The document
Configuring Splunk forwarding to use SSL certificates signed by a third party Certificate Authority
is correct and is the one you want to follow.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
trross,
Yes you have to have the server's private key in the key chain where your forwarder is configured. So this should be a different private key for each server where you have a forwarder.
The reason is - This key will be used to encrypt the outgoing data FROM your forwarder client.
What you do NOT want to do is - Use the same key chain file from your Indexer. This should be a DIFFERENT key chain then the file you used on your FORWARDER. As that file would contain the private key of your Indexer, which YOU DO NOT WANT TO place on all of your forwarder client servers.
Make sense?
The document
Configuring Splunk forwarding to use SSL certificates signed by a third party Certificate Authority
is correct and is the one you want to follow.
Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform
Calling All Security Pros: Ready to Race Through Boston?
Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...
