Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Changing the Certificates for Universal forwarder, I know how to push the certificates out but will I need one certificate per host?

patrikl1ndh
New Member
‎12-08-2017 07:33 AM

Hi!
I'm changing the Certificates for Universal forwarder, I know how to push the certificates out but will I need one certificate per host? Or can I add the hostname in the SAN? or how do you people do that have about 3000 UF's to change on? (I only have like 50 so it is possible to do it manually)

//P

0 Karma
Reply

patrikl1ndh
New Member
‎12-12-2017 05:59 AM

Ok, to answer my own question, it is possible to input the hostname/ip in the san for thoose hosts that run UniversalForwarder which means you will only have to deal with one certificate. (if you have 150 or less hosts/entries).

Now is just the final qustion if this is really a good solution in the security point of view.
Probably since it will only be used on the local lan internally,
But probably the best looking solution would be to have one certificate per host.

0 Karma
Reply

micahkemp
Champion
‎12-11-2017 04:00 PM

You can use a single certificate for all forwarders if you like, or you could give each forwarder its own certificate. The latter is probably only worth the extra effort if you want to enable requireClientCert and sslCommonNameToCheck (and want to be able to potentially revoke, via removing from the allowed common name list, client certificates).

If you only want to enable the UFs to send over TLS to the indexers you only need the certificate on the client as a means to enable that encryption. It can certainly be reused amongst your UFs for this purpose.

0 Karma
Reply

patrikl1ndh
New Member
‎12-11-2017 10:34 PM

Hello!
Thanks for the reply, my problem is that we do a Nessus scan of the environment and it complains about certificates has the wrong hostname.

Would it be possible to set all the hosts in the SAN section of the certificate? does the splunkforwarder use it? If so I could set all the hosts in the SAN section and then I will only have to distribute one single certificate but out of security perspective I guess a single certificate for each hosts would be the best option?

0 Karma
Reply

patrikl1ndh
New Member
‎12-11-2017 10:34 PM

Hello!
Thanks for the reply, my problem is that we do a Nessus scan of the environment and it complains about certificates has the wrong hostname.

Would it be possible to set all the hosts in the SAN section of the certificate? does the splunkforwarder use it? If so I could set all the hosts in the SAN section and then I will only have to distribute one single certificate but out of security perspective I guess a single certificate for each hosts would be the best option?

0 Karma
Reply

micahkemp
Champion
‎12-12-2017 08:38 AM

Your nessus scan wouldn't necessarily see the certificate...especially if you disable the splunkd port on your universal forwarders (or just don't open up that port on your host-based firewall).

0 Karma
Reply

molinarf
Communicator
‎03-05-2018 04:30 PM

I was just alerted that a nessus scan came up with the same 'vulnerability'.

I would think that the splunkd port 8089 is required on a server running the universal forwarder but I could be wrong. Is closing the port the only way since it would be best to use the server cert for communications? If you are using port 8089 to deploy apps and such, then wouldn't that cause problems. I think each host having it's own certificate would become somewhat of a monster issue when it comes time for renewing the certs.

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎03-05-2018 11:29 PM

You can always have your universal forwarder bind to the localhost address in splunk-launch.conf, this way the 8089 port is there but only accessible on the local server...

The universal forwarders pull from the deployment server, so they do not quite the 8089 port on the forwarder to be available, the port 8089 on the deployment server must be accessible though.

I've previously read that 8089 is used by Splunk UF's but I cannot find documentation confirming this, there are some useful troubleshooting commands that use the REST port in the universal forwarder which is why I bind it to localhost as a security measure...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

shubhar87
New Member
‎09-26-2018 02:33 AM

@gjanders How do we perform mass depoyment of this change in splunk-launch.conf across all our universal forwarders? Is it possible to do this using deployment server?

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎09-26-2018 02:42 AM

There is no Splunk deployment server method to push splunk-launch.conf that I'm aware of.

You could push out a script via the deployment server that does this once off and then delete the script/app. Or make it part of your build process

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

patrikl1ndh
New Member
‎12-12-2017 12:05 PM

Oh, darn. (all this job for "nothing")
I've always thought that port 8089 was used by the deployment server to send the apps.
So in other words it would be possible to disable port 8089, what are the consequences of doing it?

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...