Security

How to deploy self-signed certs to deployment clients using the deployment server

dflodstrom
Builder

How do I push my self-signed certs to universal forwarders using the deployment server. The docs say:

Define the following stanzas in $SPLUNK_HOME/etc/system/local/outputs.conf (or in the appropriate directory of any app you are using to distribute your forwarding configuration) :

Do I need to push a script that moves the certs to a local folder? Can I just distribute an app with outputs.conf that point to $SPLUNK_HOME/etc/apps/my_ssl_app/auth/ for the certificates?

0 Karma
1 Solution

jonathan_cooper
Communicator

Totally doable from a deployment app, and you are able to set the path to the cert files in that deployment app as well, so you won't have to move the certs anywhere (via updated server.conf). I have done this at a few customer sites and it works well.

One thing to keep in mind is to ensure that the "sslVerifyServerCert" in deploymentclient.conf is set to false so that new UF's coming online can still contact the DS and get their new certs/apps. Another parameter to keep in mind is "requireClientCert" in server.conf. Default is set to false, but if set to true brand new UF's would need the certs and server.conf before hand in order to work.

You can always hit me up on email if you need more info, but totally doable.

View solution in original post

jonathan_cooper
Communicator

Totally doable from a deployment app, and you are able to set the path to the cert files in that deployment app as well, so you won't have to move the certs anywhere (via updated server.conf). I have done this at a few customer sites and it works well.

One thing to keep in mind is to ensure that the "sslVerifyServerCert" in deploymentclient.conf is set to false so that new UF's coming online can still contact the DS and get their new certs/apps. Another parameter to keep in mind is "requireClientCert" in server.conf. Default is set to false, but if set to true brand new UF's would need the certs and server.conf before hand in order to work.

You can always hit me up on email if you need more info, but totally doable.

adobrzeniecki
Path Finder

I have a customer that has four different outputs apps being sent from the DS to different types of UFs. We are thinking of putting each of the SSL certs in these different apps and pushing them to the designated forwarders. Question for you, as long as I put the correct path in clientCert, this will work properly correct? So for example:

/opt/splunk/etc/apps/myexternalapp/local/outputs.conf
clientCert = $SPLUNK_HOME/etc/apps/myexternalapp/local/splunk-forwarder.pem
sslPassword = shabadooo
sslVerifyServerCert = true
sslVersions = tls


0 Karma

adobrzeniecki
Path Finder

Also the cert will be in the local directory of that app.

0 Karma

marklaw2
Explorer

Jonathan - if you have a few moments I'd like the specifics and how-tos for this - facing similar problem with 5000+ UFs.

0 Karma

dflodstrom
Builder

Ok this makes a lot more sense. I'll work this out and let you know if I run into any issues.

0 Karma

lguinn2
Legend

If you push the certs via a deployment app, then you must have a script that moves the certs to the appropriate directory. I think this is sort of kludgy but I think it can be done. I personally have never done this.

Remember that scripted inputs are inputs, but there is really no restriction on what the scripts can do. So you will have to create an input to invoke the script. And the script will have to be smart enough to only copy the certs once - and to trigger a restart afterwards.

I do not believe that you can leave the certs in the app directory.

0 Karma

dflodstrom
Builder

Thanks for the reply. I was afraid this was the case.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...