Deployment Architecture

Bootstrapping a secure management configuration with company certificates

afx
Contributor

Distributing certificates to forwarders for the indexer configuration works fine in Splunk.
But what about the management communication?
It seems to be a chicken and egg problem.
Can this be done via the deployment mechanism, sending the forwarders appropriate configuration and certificates?
But then as soon as that configuration is active, the deployment server will no longer accept the connections until that is switched as well. Or is there a fallback mechanism to internal certs that allows a smooth transition?
thx
afx

brettwilliams
Path Finder

I've run into this myself...  if a Splunk instance starts, and there is no SSL configuration anywhere, Splunk creates its own in etc/system/local.  Which can't be overridden.  I could conjure up something creative on the Linux forwarders...  but Windows, yeah, right...  not gonna happen.

For the forwarders that I control, this is easy to fix.  But for the forwarders I don't control, I'm just a few mouse clicks away from doom when I'm making changes in Forwarder Management.  If I accidentally pull the 8089 certs, I have to go get many, many people to touch every single forwarder to manually fix it.  Maybe we shouldn't distribute SSL certs for 8089 via deployment server.  But without any other options, at least in my enterprise, I don't see any alternatives.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...