Installation

Default root certificates for release pre 6.2 version for Splunk enterprise expire on July 21 2016

Hemnaath
Motivator

Regarding default root certificates for release pre 6.2 version for Splunk enterprise , I have some questions which needs to be clarified before executing the renewcert.zip script provided by the Splunk.

Currently we have the below Splunk Enterprise set up in our Environment.
1) Five Clustered Indexer Version Splunk 6.2.1
2) Four Search Head in which three are build with Version Splunk 6.0.3 and one with Version 6.2.1
3) Scheduled Search Job with version 6.0.3
4) Two Heavy Forwarder one with latest 6.4.1 and another with 6.2.1
5) we have 1131 Universal forwarder configured in our Environment.

Questions are :

1) In which order we should run the script first, I mean should we execute the script firs in UF, HF,SH and then in Indexer?

2) How to validate whether the current Splunk Environment is using the default certificate or not and it going to expire by 21 July 2016?
Note - Under the path /opt/splunk/etc/auth/ all the certificate details like ca.pem, ca.default.pem,cacert.pem and cacert.default.pem are encrypted , so unable to find the Date of Expire details. In this case how to validate the details

3) I had run the below SPL query to validate the UF is using the default certificate or not? But I am not sure what does it mean from the out put stating SSL is false.

index=_internal source=metrics.log group=tcpin_connections | dedup hostname | table hostname sourceIp fwdType version destPort ssl
Output Details :
hostname source ip fwdtype version destport ssl
xxxxxx xxxxxx uf 6.2.0 9997 FALSE
xxxxxx xxxxxx uf 6.2.0 9997 FALSE
xxxxxx xxxxxx uf 4.3 9997 FALSE

4) In order to test the script, I had followed the below steps in my test environment and it worked fine.
Individual Splunk instance with version 6.2.1 trail
OS Red hat Linux 6.5,
VM machine

Steps -
1) Checked the Splunk Environment is set or not by executing the echo $ SPLUNK_HOME, echo $LD_LIBRARY_PATH and echo $ OPENSSL_CONF and Found it was not set.

2) Setup a Splunk Environment variable by executing the setSplunkEnV and to do this, splunk user should have permission to execute the script in /opt/splunk/bin. Used chmod -R 777 /opt/splunk/ . After running the setSplunkEnv script, checked the Splunk Environment variable was set properly by executing the echo $SPLUNK_HOME = /opt/splunk

3) Checked for the write permission for the path /opt/splunk/auth directory and it should be set with write permission.

4) Before executing the script, taken the backup of /opt/splunk by executing the cp -rp /opt/splunk /etc /temp

5) Validate all the certificate details before executing the s-renewcerts.sh and found date of expiry as 21 July 2016.

6) After executing the script validate all the certificate details in the path /opt/splunk/etc/auth by executing the cat command and found the date of expiry as 22 July 2026.

kindly let me know should I need to follow the same steps in the cluster environment also.

Thanks in Advance

Tags (1)
0 Karma

rcreddy06
Path Finder

1) renewcert.zip scripts provided by splunk renews the certificates, so the order doesn't matter as long as they don't expire.

Please follow these two questions posted by Splunk team.
https://answers.splunk.com/answers/395886/for-splunk-enterprise-splunk-light-and-hunk-pre-63.html
https://answers.splunk.com/answers/7164/how-do-i-set-up-ssl-forwarding-with-new-self-signed-certific...

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...