Getting Data In

Can I use the Microsoft Cert Store for Universal Forwarder SSL Communication?

sniderwj
Explorer

I am working on getting Splunk secured with certificates. We have a requirement to ensure the integrity of our audit logs as they are transported to Splunk. This would mean that I need to use SSL/TLS between the Forwarders and the Indexers.

When I read the SSL documentation, it wants a cert file and a password in the config settings for each forwarder. This might work for a few forwarders, but we are planning on doing 1,000+ Windows clients, so this would become a management issue. I know I can force the clients to request certificates from our Enterprise CA through GPOs without much problem.

Is there a way to tell the Universal Forwarders to use the machine/host certificates without having to manually set the certificate settings or even using one certificate for all the UFs?

Labels (1)

opoplawski
Explorer

It would be very nice if splunk could use the machine certificate in the store.

0 Karma

isoutamo
SplunkTrust
SplunkTrust
You could always create a request into ideas.splunk.com or vote for it if there is already one.

opoplawski
Explorer
0 Karma

hettervik
Builder

Hi. We seem to have the same problem. I've tried looking up in the docs and google, but nothing. Did you ever find a solution to this?

0 Karma

sniderwj
Explorer

Yeah.. basically we made a forwarder certificate that we push out with a deployment app with a password in the clear.

https://conf.splunk.com/session/2015/conf2015_DWaddle_DefensePointSecurity_deploying_SplunkSSLBestPr...

This conf presentation was what we based our final solution from.

0 Karma

jmallorquin
Builder

Hi,

The way to configure the SSL configuration is using the indexer certs. So you only need to deploy the certs of all of your indexer to all of your forwarder.

You have to configure inputs.conf in the indexer and outputs.conf in the forwarders.
Check out this link
https://wiki.splunk.com/Community:Splunk2Splunk_SSL_3rdPartyCA

Hope i help you

0 Karma

sniderwj
Explorer

Why are we using the Indexer certificate on the forwarders? Doing this raises a few issues for me:

  • The Forwarders are presenting the indexer's certificate. They aren't the indexer. Shouldn't certificates be used by the host/user/principal that the certificate is intended for? If I'm using the indexer certificate I can' claim non-repudiation of the events from that forwarder.
  • Password Management: Pushing out the indexer's private key password is a bit scary to me. That key shouldn't be pushed around. If I manually set the password and restart the splunkd service the password will be encrypted. If I put the config files in the deployment-apps directory on my deployment server that password won't be encrypted.

Is the local Microsoft Certificate Store not an option?

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...