Security

Multiple CAs in cluster?

PickleRick
SplunkTrust
SplunkTrust

Hi There.

I know I can use multiple inputs/outputs with separate CAs and even certs to permit different peers to inject data into the Splunk installation.

But I have a different situation. I have a cluster installation (let's say 4 indexers and 2 search-heads) which are configured to use (RootCA->Intermediate1) chain for cert verification and the servers just present the "final" cert without certification chain. I don't know why it was done this way instead of properly configuring just RootCA for verification and configuring the components to present full certification chain - I "inherited" this installation so it was already like that when I got this.

I need to add another indexer to the installation. The problem is that now we have another Intermediate2 CA and I'm getting new certs from that new Intermediate2 CA (which is a subordinate of the same RootCA as the Intermediate1). Is there any reasonable way to avoid full reconfiguration of CAs? Can I provide Splunk - for example - with a set of two different CAs with which it would try to authenticate peer?

I know I should just reconfigure all members to "properly" use RootCA but it's a big operation and requires full system downtime. If I could just reconfigure the system piece-by-piece, that would be great.

Labels (1)
Tags (3)
0 Karma
1 Solution

splunkyj
Path Finder

I just replaced our system to use third party certificates. If your question is just regarding root CA which is defined in:

etc/system/local/server.conf

[sslConfig]

sslRootCAPath = /opt/splunk/etc/auth/foldername_root_CA/name_Root_CA.pem

 

We used the same path for all of our Root CA, for all our instances. If you go to that path, in this example /opt/splunk/etc/auth/foldername_root_CA/name_Root_CA.pem> open up name_Root_CA.pem. Copy the new Root CA that has been converted to .pem, and paste it to name_Root_CA.pem by adding it. You're not replacing the whole thing, just adding the new CA. 

Copy from -----BEGIN CERTIFICATE-----, all the way to -----BEGIN CERTIFICATE-----

Your new server certificates, however will need the whole certificate chain in the .pem format. You can find the path in server.conf as well :

etc/system/local/server.conf

[sslConfig]

serverCert = $SPLUNK_HOME/etc/auth/servername_or_whatever/fqdn_cert.pem

The instructions to prepare your certificates can be found here: https://docs.splunk.com/Documentation/Splunk/8.0.4/Security/HowtoprepareyoursignedcertificatesforSpl...

 

 

View solution in original post

splunkyj
Path Finder

Correction:

Copy from -----BEGIN CERTIFICATE-----, all the way to -----END CERTIFICATE-----

0 Karma

splunkyj
Path Finder

I just replaced our system to use third party certificates. If your question is just regarding root CA which is defined in:

etc/system/local/server.conf

[sslConfig]

sslRootCAPath = /opt/splunk/etc/auth/foldername_root_CA/name_Root_CA.pem

 

We used the same path for all of our Root CA, for all our instances. If you go to that path, in this example /opt/splunk/etc/auth/foldername_root_CA/name_Root_CA.pem> open up name_Root_CA.pem. Copy the new Root CA that has been converted to .pem, and paste it to name_Root_CA.pem by adding it. You're not replacing the whole thing, just adding the new CA. 

Copy from -----BEGIN CERTIFICATE-----, all the way to -----BEGIN CERTIFICATE-----

Your new server certificates, however will need the whole certificate chain in the .pem format. You can find the path in server.conf as well :

etc/system/local/server.conf

[sslConfig]

serverCert = $SPLUNK_HOME/etc/auth/servername_or_whatever/fqdn_cert.pem

The instructions to prepare your certificates can be found here: https://docs.splunk.com/Documentation/Splunk/8.0.4/Security/HowtoprepareyoursignedcertificatesforSpl...

 

 

PickleRick
SplunkTrust
SplunkTrust

Hmm...

Do you mean that I can put multiple CA certs in the pem file configured as sslRootCAPath? And all will be checked for validation of the client's cert? That'd be great.

0 Karma

splunkyj
Path Finder

That is correct. To make it easier for you to know what has been concatenated together without having to use openssl or open each one to compare in the future - you can place all the individual root CA's in the same folder as well - for reference only: and only point to that one .pem file in server.conf :

splunkyj_0-1614609051776.png

Hope that helps. 

PickleRick
SplunkTrust
SplunkTrust

Thank you. That's the vital piece of information I've been missing. After fifth or sixth reading I finally noticed that the docs say "one or more CA certificates".

It does work indeed!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...