Security

Multiple CAs in cluster?

PickleRick
Path Finder

Hi There.

I know I can use multiple inputs/outputs with separate CAs and even certs to permit different peers to inject data into the Splunk installation.

But I have a different situation. I have a cluster installation (let's say 4 indexers and 2 search-heads) which are configured to use (RootCA->Intermediate1) chain for cert verification and the servers just present the "final" cert without certification chain. I don't know why it was done this way instead of properly configuring just RootCA for verification and configuring the components to present full certification chain - I "inherited" this installation so it was already like that when I got this.

I need to add another indexer to the installation. The problem is that now we have another Intermediate2 CA and I'm getting new certs from that new Intermediate2 CA (which is a subordinate of the same RootCA as the Intermediate1). Is there any reasonable way to avoid full reconfiguration of CAs? Can I provide Splunk - for example - with a set of two different CAs with which it would try to authenticate peer?

I know I should just reconfigure all members to "properly" use RootCA but it's a big operation and requires full system downtime. If I could just reconfigure the system piece-by-piece, that would be great.

Labels (1)
Tags (3)
0 Karma
1 Solution

splunkyj
Path Finder

I just replaced our system to use third party certificates. If your question is just regarding root CA which is defined in:

etc/system/local/server.conf

[sslConfig]

sslRootCAPath = /opt/splunk/etc/auth/foldername_root_CA/name_Root_CA.pem

 

We used the same path for all of our Root CA, for all our instances. If you go to that path, in this example /opt/splunk/etc/auth/foldername_root_CA/name_Root_CA.pem> open up name_Root_CA.pem. Copy the new Root CA that has been converted to .pem, and paste it to name_Root_CA.pem by adding it. You're not replacing the whole thing, just adding the new CA. 

Copy from -----BEGIN CERTIFICATE-----, all the way to -----BEGIN CERTIFICATE-----

Your new server certificates, however will need the whole certificate chain in the .pem format. You can find the path in server.conf as well :

etc/system/local/server.conf

[sslConfig]

serverCert = $SPLUNK_HOME/etc/auth/servername_or_whatever/fqdn_cert.pem

The instructions to prepare your certificates can be found here: https://docs.splunk.com/Documentation/Splunk/8.0.4/Security/HowtoprepareyoursignedcertificatesforSpl...

 

 

View solution in original post

splunkyj
Path Finder

Correction:

Copy from -----BEGIN CERTIFICATE-----, all the way to -----END CERTIFICATE-----

0 Karma

splunkyj
Path Finder

I just replaced our system to use third party certificates. If your question is just regarding root CA which is defined in:

etc/system/local/server.conf

[sslConfig]

sslRootCAPath = /opt/splunk/etc/auth/foldername_root_CA/name_Root_CA.pem

 

We used the same path for all of our Root CA, for all our instances. If you go to that path, in this example /opt/splunk/etc/auth/foldername_root_CA/name_Root_CA.pem> open up name_Root_CA.pem. Copy the new Root CA that has been converted to .pem, and paste it to name_Root_CA.pem by adding it. You're not replacing the whole thing, just adding the new CA. 

Copy from -----BEGIN CERTIFICATE-----, all the way to -----BEGIN CERTIFICATE-----

Your new server certificates, however will need the whole certificate chain in the .pem format. You can find the path in server.conf as well :

etc/system/local/server.conf

[sslConfig]

serverCert = $SPLUNK_HOME/etc/auth/servername_or_whatever/fqdn_cert.pem

The instructions to prepare your certificates can be found here: https://docs.splunk.com/Documentation/Splunk/8.0.4/Security/HowtoprepareyoursignedcertificatesforSpl...

 

 

View solution in original post

PickleRick
Path Finder

Hmm...

Do you mean that I can put multiple CA certs in the pem file configured as sslRootCAPath? And all will be checked for validation of the client's cert? That'd be great.

0 Karma

splunkyj
Path Finder

That is correct. To make it easier for you to know what has been concatenated together without having to use openssl or open each one to compare in the future - you can place all the individual root CA's in the same folder as well - for reference only: and only point to that one .pem file in server.conf :

splunkyj_0-1614609051776.png

Hope that helps. 

PickleRick
Path Finder

Thank you. That's the vital piece of information I've been missing. After fifth or sixth reading I finally noticed that the docs say "one or more CA certificates".

It does work indeed!

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!