Security

Multiple CAs in cluster?

PickleRick
SplunkTrust
SplunkTrust

Hi There.

I know I can use multiple inputs/outputs with separate CAs and even certs to permit different peers to inject data into the Splunk installation.

But I have a different situation. I have a cluster installation (let's say 4 indexers and 2 search-heads) which are configured to use (RootCA->Intermediate1) chain for cert verification and the servers just present the "final" cert without certification chain. I don't know why it was done this way instead of properly configuring just RootCA for verification and configuring the components to present full certification chain - I "inherited" this installation so it was already like that when I got this.

I need to add another indexer to the installation. The problem is that now we have another Intermediate2 CA and I'm getting new certs from that new Intermediate2 CA (which is a subordinate of the same RootCA as the Intermediate1). Is there any reasonable way to avoid full reconfiguration of CAs? Can I provide Splunk - for example - with a set of two different CAs with which it would try to authenticate peer?

I know I should just reconfigure all members to "properly" use RootCA but it's a big operation and requires full system downtime. If I could just reconfigure the system piece-by-piece, that would be great.

Labels (1)
Tags (3)
0 Karma
1 Solution

splunkyj
Path Finder

I just replaced our system to use third party certificates. If your question is just regarding root CA which is defined in:

etc/system/local/server.conf

[sslConfig]

sslRootCAPath = /opt/splunk/etc/auth/foldername_root_CA/name_Root_CA.pem

 

We used the same path for all of our Root CA, for all our instances. If you go to that path, in this example /opt/splunk/etc/auth/foldername_root_CA/name_Root_CA.pem> open up name_Root_CA.pem. Copy the new Root CA that has been converted to .pem, and paste it to name_Root_CA.pem by adding it. You're not replacing the whole thing, just adding the new CA. 

Copy from -----BEGIN CERTIFICATE-----, all the way to -----BEGIN CERTIFICATE-----

Your new server certificates, however will need the whole certificate chain in the .pem format. You can find the path in server.conf as well :

etc/system/local/server.conf

[sslConfig]

serverCert = $SPLUNK_HOME/etc/auth/servername_or_whatever/fqdn_cert.pem

The instructions to prepare your certificates can be found here: https://docs.splunk.com/Documentation/Splunk/8.0.4/Security/HowtoprepareyoursignedcertificatesforSpl...

 

 

View solution in original post

splunkyj
Path Finder

Correction:

Copy from -----BEGIN CERTIFICATE-----, all the way to -----END CERTIFICATE-----

0 Karma

splunkyj
Path Finder

I just replaced our system to use third party certificates. If your question is just regarding root CA which is defined in:

etc/system/local/server.conf

[sslConfig]

sslRootCAPath = /opt/splunk/etc/auth/foldername_root_CA/name_Root_CA.pem

 

We used the same path for all of our Root CA, for all our instances. If you go to that path, in this example /opt/splunk/etc/auth/foldername_root_CA/name_Root_CA.pem> open up name_Root_CA.pem. Copy the new Root CA that has been converted to .pem, and paste it to name_Root_CA.pem by adding it. You're not replacing the whole thing, just adding the new CA. 

Copy from -----BEGIN CERTIFICATE-----, all the way to -----BEGIN CERTIFICATE-----

Your new server certificates, however will need the whole certificate chain in the .pem format. You can find the path in server.conf as well :

etc/system/local/server.conf

[sslConfig]

serverCert = $SPLUNK_HOME/etc/auth/servername_or_whatever/fqdn_cert.pem

The instructions to prepare your certificates can be found here: https://docs.splunk.com/Documentation/Splunk/8.0.4/Security/HowtoprepareyoursignedcertificatesforSpl...

 

 

PickleRick
SplunkTrust
SplunkTrust

Hmm...

Do you mean that I can put multiple CA certs in the pem file configured as sslRootCAPath? And all will be checked for validation of the client's cert? That'd be great.

0 Karma

splunkyj
Path Finder

That is correct. To make it easier for you to know what has been concatenated together without having to use openssl or open each one to compare in the future - you can place all the individual root CA's in the same folder as well - for reference only: and only point to that one .pem file in server.conf :

splunkyj_0-1614609051776.png

Hope that helps. 

PickleRick
SplunkTrust
SplunkTrust

Thank you. That's the vital piece of information I've been missing. After fifth or sixth reading I finally noticed that the docs say "one or more CA certificates".

It does work indeed!

0 Karma
Get Updates on the Splunk Community!

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...