Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Indexer cluster SSL migration from default SSL to self-signed with least downtime?

inventsekar
SplunkTrust
SplunkTrust
‎08-23-2017 09:09 PM

Hi,
1. Lets assume I have around 4 cluster peers with Splunk's default SSL. To migrate from Splunk's default SSL to self-signed SSL,
can I migrate the cluster peers one by one? I mean, on an indexer cluster, can I have two sets of SSL certificates (Splunk's default SSL and my own self-signed SSL)?
2. During the migration, the deployment server should be sending the new self-signed SSL certificates to forwarders. Is this possible?
I mean, one deployment server, handling two sets of SSL certificates.

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎08-29-2017 04:18 AM

Hi All, any ideas and suggestions about without using the 2nd port please.. as you know, on production systems it would be difficult to get 2nd port opened for this task alone..
any other ideas, suggestions please..

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

hardikJsheth
Motivator
‎11-02-2017 05:32 AM

Do you want to use SSL certificates for encrypting communication between forwarder and indexer or you are referring to changing SSL certificates for Management port ?

With Splunk 6.3 and above it uses same certificates for all the nodes within indexer cluster including master node.

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎11-02-2017 05:38 AM

we want to use SSL certificates for encrypting communication between forwarder and indexer

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎08-25-2017 01:09 AM

Theres no documented process for this, but thinking about a few different scenarios here, here's what I see as working without downtime..

General Outline--
1) Add a new splunktcp-ssl input on your indexers, via the cluster master, on a different port then your current port. E.g. 9998 instead of 9997. This should require a rolling restart to enable the config
2) Create a new app that has the new certs and outputs.conf to point to the splunktcp-ssl on 9998 on your indexer cluster
3) Use the DS to deploy this to clients, and remove the other outputs.conf

As clean up, you can validate that all of your clients are sending to the splunktcp-ssl input on your indexers. Once validated, you can disabled the the non-SSL port on the cluster, and copy the splunktcp-ssl config to 9997 with the same cert. You can then update the primary outputs.conf app on your DS and your clients will get updated and send to 9997.

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎08-25-2017 01:37 AM

Thanks Esix,.. any ideas and suggestions about without using the 2nd port?
on a indexer cluster, all cluster peers should have the SSL certificate(s) from same root CA, right

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎11-02-2017 05:12 AM

Hi Esix/All,

on an indexer cluster, can I have two sets of SSL certificates (Splunk's default SSL and my own self-signed SSL)?
lets assume i have an indexer cluster with 10 indexers. can i have 8 indexers with Splunk default SSL certificates and 2 indexers with my own self signed certificates? is that possible, please suggest.

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎08-25-2017 12:14 AM

SSL certificates migration process is not documented at all. also i am not seeing any posts related to this topic. Wondering how !!!

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...