We have installed Splunk 6.5.1 on a Windows 2008 R2 two years ago. We'd like to upgrade it to 7.1.
According to the well-furnished documentation, we can upgrade without intermediate version.
However, being on a Windows 2008 R2 will be problematic as the cipher suites won't be supported (according to Splunk/7.1.2/Installation/AboutupgradingREADTHISFIRST).
As far as I've understood, Splunk/7.1.2/Security/AboutTLSencryptionandciphersuites implies that I should change the files alert_actions.conf and ldap.conf as they are the only ones where Windows 2008 is quoted.
First of all, have I understood this properly ?
Then, I've searched those files on our Splunk and there are a lot of them. I don't know which one (or ones) I should modify.
Can you please tell me which files I should change with those SSL parameters ?
And finally, is there specific points I should be aware of when upgrading ? Documentation seems pretty clear about that but I always prefer to hear that from experimented people.
Please forgive me for my lack of skill on this product and my not-so-fluant english.
Thank you in advance for your help.
Based on the documentation, it is stating that in order to support the TLS/SSL Cipher suites introduced in 6.6 +, you will need to edit the Windows Registry:
The Transport Layer Security (TLS) and Secure Sockets Layer (SSL) cipher suites in version 7.1 are not supported on Windows Server 2008 R2 (Originally introduced in version 6.6). The TLS and SSL cipher suites that come with version 7.0 of Splunk Enterprise do not support Windows Server 2008 R2 by default. If you upgrade, and you used SSL and TLS to handle forwarder-to-indexer communication or alert actions, those actions will not work until you make updates to both Windows and Splunk Enterprise configurations.
To enable TLS 1.2 support on Windows Server 2008 R2:
DWORD (32-bit) Value – DisabledByDefault; set to 0
DWORD (32-bit) Value – Enabled; set to 1
Thank you for your answer.
That's indeed what I found in the documentation for the Windows 2008 part. But in the same page, there were mentions of alertactions.conf and ldap.conf for the 2008 compatibility.
And to be honest, I don't know what to do with this. Is it mandatory to modify alertactions.conf and ldap.conf ? Or is it needed only in certain cases ?
The part you mentioned is indeed needed.
Any of the configuration files listed on that page are the "default" settings. Those are the settings provided out of the box. If you have made changes to those previously, in order to utilize the default TLS cipher suites, you would need to revert those changes.
Just a brief additional comment, as folks have migrated to 6.6 or later, legacy Splunk instances have had problems connecting to the upgraded instances because of the new default TLS/SSL settings. I would refer you to these known issues:
Thanks for your reply.
I didn't modify any default file (even in the local folder as far as I know).
So if I've understood your reply, those files will updated themselves with the upgrade (as they have a version number) and I won't have to modify anything here.
The only thing I'll have to do is to modify several things on the Windows as you stated before.
Is this correct ?