Security

Changing the Certificates for Universal forwarder, I know how to push the certificates out but will I need one certificate per host?

New Member

Hi!
I'm changing the Certificates for Universal forwarder, I know how to push the certificates out but will I need one certificate per host? Or can I add the hostname in the SAN? or how do you people do that have about 3000 UF's to change on? (I only have like 50 so it is possible to do it manually)

//P

0 Karma

New Member

Ok, to answer my own question, it is possible to input the hostname/ip in the san for thoose hosts that run UniversalForwarder which means you will only have to deal with one certificate. (if you have 150 or less hosts/entries).

Now is just the final qustion if this is really a good solution in the security point of view.
Probably since it will only be used on the local lan internally,
But probably the best looking solution would be to have one certificate per host.

0 Karma

Champion

You can use a single certificate for all forwarders if you like, or you could give each forwarder its own certificate. The latter is probably only worth the extra effort if you want to enable requireClientCert and sslCommonNameToCheck (and want to be able to potentially revoke, via removing from the allowed common name list, client certificates).

If you only want to enable the UFs to send over TLS to the indexers you only need the certificate on the client as a means to enable that encryption. It can certainly be reused amongst your UFs for this purpose.

0 Karma

New Member

Hello!
Thanks for the reply, my problem is that we do a Nessus scan of the environment and it complains about certificates has the wrong hostname.

Would it be possible to set all the hosts in the SAN section of the certificate? does the splunkforwarder use it? If so I could set all the hosts in the SAN section and then I will only have to distribute one single certificate but out of security perspective I guess a single certificate for each hosts would be the best option?

0 Karma

New Member

Hello!
Thanks for the reply, my problem is that we do a Nessus scan of the environment and it complains about certificates has the wrong hostname.

Would it be possible to set all the hosts in the SAN section of the certificate? does the splunkforwarder use it? If so I could set all the hosts in the SAN section and then I will only have to distribute one single certificate but out of security perspective I guess a single certificate for each hosts would be the best option?

0 Karma

Champion

Your nessus scan wouldn't necessarily see the certificate...especially if you disable the splunkd port on your universal forwarders (or just don't open up that port on your host-based firewall).

0 Karma

Communicator

I was just alerted that a nessus scan came up with the same 'vulnerability'.

I would think that the splunkd port 8089 is required on a server running the universal forwarder but I could be wrong. Is closing the port the only way since it would be best to use the server cert for communications? If you are using port 8089 to deploy apps and such, then wouldn't that cause problems. I think each host having it's own certificate would become somewhat of a monster issue when it comes time for renewing the certs.

0 Karma

SplunkTrust
SplunkTrust

You can always have your universal forwarder bind to the localhost address in splunk-launch.conf, this way the 8089 port is there but only accessible on the local server...

The universal forwarders pull from the deployment server, so they do not quite the 8089 port on the forwarder to be available, the port 8089 on the deployment server must be accessible though.

I've previously read that 8089 is used by Splunk UF's but I cannot find documentation confirming this, there are some useful troubleshooting commands that use the REST port in the universal forwarder which is why I bind it to localhost as a security measure...

0 Karma

New Member

@gjanders How do we perform mass depoyment of this change in splunk-launch.conf across all our universal forwarders? Is it possible to do this using deployment server?

0 Karma

SplunkTrust
SplunkTrust

There is no Splunk deployment server method to push splunk-launch.conf that I'm aware of.

You could push out a script via the deployment server that does this once off and then delete the script/app. Or make it part of your build process

0 Karma

New Member

Oh, darn. (all this job for "nothing")
I've always thought that port 8089 was used by the deployment server to send the apps.
So in other words it would be possible to disable port 8089, what are the consequences of doing it?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!