How do I push my self-signed certs to universal forwarders using the deployment server. The docs say:
Define the following stanzas in $SPLUNK_HOME/etc/system/local/outputs.conf (or in the appropriate directory of any app you are using to distribute your forwarding configuration) :
Do I need to push a script that moves the certs to a local folder? Can I just distribute an app with outputs.conf that point to $SPLUNK_HOME/etc/apps/my_ssl_app/auth/ for the certificates?
Totally doable from a deployment app, and you are able to set the path to the cert files in that deployment app as well, so you won't have to move the certs anywhere (via updated server.conf). I have done this at a few customer sites and it works well.
One thing to keep in mind is to ensure that the "sslVerifyServerCert" in deploymentclient.conf is set to false so that new UF's coming online can still contact the DS and get their new certs/apps. Another parameter to keep in mind is "requireClientCert" in server.conf. Default is set to false, but if set to true brand new UF's would need the certs and server.conf before hand in order to work.
You can always hit me up on email if you need more info, but totally doable.
Totally doable from a deployment app, and you are able to set the path to the cert files in that deployment app as well, so you won't have to move the certs anywhere (via updated server.conf). I have done this at a few customer sites and it works well.
One thing to keep in mind is to ensure that the "sslVerifyServerCert" in deploymentclient.conf is set to false so that new UF's coming online can still contact the DS and get their new certs/apps. Another parameter to keep in mind is "requireClientCert" in server.conf. Default is set to false, but if set to true brand new UF's would need the certs and server.conf before hand in order to work.
You can always hit me up on email if you need more info, but totally doable.
I have a customer that has four different outputs apps being sent from the DS to different types of UFs. We are thinking of putting each of the SSL certs in these different apps and pushing them to the designated forwarders. Question for you, as long as I put the correct path in clientCert, this will work properly correct? So for example:
/opt/splunk/etc/apps/myexternalapp/local/outputs.conf
clientCert = $SPLUNK_HOME/etc/apps/myexternalapp/local/splunk-forwarder.pem
sslPassword = shabadooo
sslVerifyServerCert = true
sslVersions = tls
Also the cert will be in the local directory of that app.
Jonathan - if you have a few moments I'd like the specifics and how-tos for this - facing similar problem with 5000+ UFs.
Ok this makes a lot more sense. I'll work this out and let you know if I run into any issues.
If you push the certs via a deployment app, then you must have a script that moves the certs to the appropriate directory. I think this is sort of kludgy but I think it can be done. I personally have never done this.
Remember that scripted inputs are inputs, but there is really no restriction on what the scripts can do. So you will have to create an input to invoke the script. And the script will have to be smart enough to only copy the certs once - and to trigger a restart afterwards.
I do not believe that you can leave the certs in the app directory.
Thanks for the reply. I was afraid this was the case.