Getting Data In
Highlighted

What is the recipe for creating new SSL certs for forwarding with no auth?

Splunk Employee
Splunk Employee

What are the steps to setup a new CA and generate new certs for SSL forwarding with no auth:

Tags (3)
0 Karma
Highlighted

Re: What is the recipe for creating new SSL certs for forwarding with no auth?

SplunkTrust
SplunkTrust

Can you clarify just a little? Are you wanting to make a new CA and issue a certificate to each forwarder? Or, are you wanting to create a new self-signed certificate for the indexer? Or is it something else entirely?

0 Karma
Highlighted

Re: What is the recipe for creating new SSL certs for forwarding with no auth?

Influencer

First you probably want to create your own root CA:

mkdir -p /opt/splunk/etc/certs
/opt/splunk/bin/genRootCA.sh -d /opt/splunk/etc/certs

This will create the files:

ca.pem
cacert.pem
cakey.pem
careq.pem

in the given directory. Then you can issue signed server certificates for your indexer:

/opt/splunk/bin/genSignedServerCert.sh -d /opt/splunk/etc/certs -n indexer -c indexer.mydomain.com

and for your forwarder:

/opt/splunk/bin/genSignedServerCert.sh -d /opt/splunk/etc/certs -n forwarder1 -c forwarder1.mydomain.com

Copy over the files forwarder1.pem and cacert.pem to your forwarder.

To configure your forwarder to send the data via SSL add the following to $SPLUNK_HOME/etc/system/local/outputs.conf:

[indexAndForward]
index=false

[tcpout]
defaultGroup = forward-ssl

[tcpout:forward-ssl]
server = <indexer-ip>:9443

[tcpout-server://<indexer-ip>:9443]
sslCertPath=$SPLUNK_HOME/etc/certs/forwarder1.pem
sslPassword=password
sslRootCAPath=$SPLUNK_HOME/etc/certs/cacert.pem
sslVerfyServerCert=false

and add the following on the indexer in the $SPLUNK_HOME/etc/system/local/inputs.conf to listen on a port with SSL enabled:

[SSL]
serverCert=$SPLUNK_HOME/etc/certs/indexer.pem
password=password
rootCA=$SPLUNK_HOME/etc/auth/cacert.pem
requireClientCert=false

[splunktcp-ssl:9443]

It's also possible to distribute the SSL configuration via deployment services.

Highlighted

Re: What is the recipe for creating new SSL certs for forwarding with no auth?

Splunk Employee
Splunk Employee

Information about setting up SSL forwarding with host authentication and self-signed certificates can be found here : http://answers.splunk.com/questions/7164/how-do-i-set-up-ssl-forwarding-with-new-self-signed-certifi...

0 Karma
Highlighted

Re: What is the recipe for creating new SSL certs for forwarding with no auth?

Motivator

@ziegfried -- very interesting. I am interested in how to distribute this via deployment services. I can't seem to find anything that explains how you would push updated certs out to the forwarders.

0 Karma