Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Indexer cluster SSL migration from default SSL to self-signed with least downtime?

inventsekar
SplunkTrust
SplunkTrust
‎08-23-2017 09:09 PM

Hi,
1. Lets assume I have around 4 cluster peers with Splunk's default SSL. To migrate from Splunk's default SSL to self-signed SSL,
can I migrate the cluster peers one by one? I mean, on an indexer cluster, can I have two sets of SSL certificates (Splunk's default SSL and my own self-signed SSL)?
2. During the migration, the deployment server should be sending the new self-signed SSL certificates to forwarders. Is this possible?
I mean, one deployment server, handling two sets of SSL certificates.

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎08-29-2017 04:18 AM

Hi All, any ideas and suggestions about without using the 2nd port please.. as you know, on production systems it would be difficult to get 2nd port opened for this task alone..
any other ideas, suggestions please..

0 Karma
Reply

hardikJsheth
Motivator
‎11-02-2017 05:32 AM

Do you want to use SSL certificates for encrypting communication between forwarder and indexer or you are referring to changing SSL certificates for Management port ?

With Splunk 6.3 and above it uses same certificates for all the nodes within indexer cluster including master node.

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎11-02-2017 05:38 AM

we want to use SSL certificates for encrypting communication between forwarder and indexer

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎08-25-2017 01:09 AM

Theres no documented process for this, but thinking about a few different scenarios here, here's what I see as working without downtime..

General Outline--
1) Add a new splunktcp-ssl input on your indexers, via the cluster master, on a different port then your current port. E.g. 9998 instead of 9997. This should require a rolling restart to enable the config
2) Create a new app that has the new certs and outputs.conf to point to the splunktcp-ssl on 9998 on your indexer cluster
3) Use the DS to deploy this to clients, and remove the other outputs.conf

As clean up, you can validate that all of your clients are sending to the splunktcp-ssl input on your indexers. Once validated, you can disabled the the non-SSL port on the cluster, and copy the splunktcp-ssl config to 9997 with the same cert. You can then update the primary outputs.conf app on your DS and your clients will get updated and send to 9997.

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎08-25-2017 01:37 AM

Thanks Esix,.. any ideas and suggestions about without using the 2nd port?
on a indexer cluster, all cluster peers should have the SSL certificate(s) from same root CA, right

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎11-02-2017 05:12 AM

Hi Esix/All,

on an indexer cluster, can I have two sets of SSL certificates (Splunk's default SSL and my own self-signed SSL)?
lets assume i have an indexer cluster with 10 indexers. can i have 8 indexers with Splunk default SSL certificates and 2 indexers with my own self signed certificates? is that possible, please suggest.

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎08-25-2017 12:14 AM

SSL certificates migration process is not documented at all. also i am not seeing any posts related to this topic. Wondering how !!!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...