Security

Multiple forwarder certificates?

moseisleydk
Path Finder

How about setting up multiple certificates for forwarders, so that we are able to close parts of them?

I seems I can create several forwarder certificates (step 3), but how do I set up the indexer to allow/deny several of them, the

[SSL]
rootCA = $SPLUNK_HOME/etc/certs/cacert.pem
serverCert = $SPLUNK_HOME/etc/certs/splunk-idx-01.pem
password = changeme
requireClientCert = true

[splunktcp-ssl:9997]
compressed = true

Seems to allow all forwarder certificates...

Tags (1)

inventsekar
Super Champion

can someone please update clearly about this -
can I have two SSL certificates deployed on a single indexer? if yes, on same port or different ports?

the issue is - during Certificates renewal,
we would like to follow this process -
1. install a renewed certificate on indexer (while the old SSL certificate is still deployed)
2. deploy the renewed certificate to forwarders (while some forwarders may be still having the old certificates)
3. the UF's which got the renewed certificates will start communicating with the indexer's renewed certificate.
4. whereas, the old UF's, until certificate renewal, will still be communicating with the indexer with indexer's old certificate.

is this possible? how to add two [SSL] stanza's on outputs.conf?

[SSL]
rootCA = $SPLUNK_HOME/etc/certs/cacert.pem
serverCert = $SPLUNK_HOME/etc/certs/splunk-idx-01.pem

[SSL]
rootCA = $SPLUNK_HOME/etc/certs/renewedcacert.pem
serverCert = $SPLUNK_HOME/etc/certs/renewedsplunk-idx-01.pem

hettervi
Builder

Bump. I also want to define two [SSL] stanzas, for two different server certificates. Also, one of them would require client certificate, and the other would not. Is this possible?

EDIT: Got an answer to my own question here https://answers.splunk.com/answers/549719/two-ssl-certificates-on-a-single-indexer-forwarder.html

0 Karma

dwaddle
SplunkTrust
SplunkTrust

Aadding to gkanapathy's answer, Splunk doesn't at this time support multiple root CA certs for a single splunkd. (I am 99% sure anyway.) The password there is for unlocking key on the SSL server cert.

If you need to partition these clients, you might be able to set up a "proxy" forwarder for each of them - and let that forwarder (probably a heavy forwarder) connect to the indexers on their behalf. If you do this, you'll probably need to forgo SSL between the proxy forwarder and the indexer.

gkanapathy
Splunk Employee
Splunk Employee

A forwarder will accept any forwarder certificate that is signed by the specified rootCA file. Since all Splunk forwarders (and servers) come with the same default Splunk rootCA file, it will accept them all. If you wish to change this, you need to use a new rootCA, and distribute appropriate new client certificates to the forwarders.

moseisleydk
Path Finder

Is it possible to set up some password required from clients, or perhaps multiple CA's - one for each client "group"

0 Karma