Hi Splunkers!
I would like to secure splunkd (port 8089) on Splunk Universal Forwarders by using a throwaway self-signed certificate.
I tried the following methods:
1) Using msiexec to install Splunk Universal Forwarder, and also include the throwaway certificate for the forwarders
msiexec.exe /i splunkforwarder-<version>.msi DEPLOYMENT_SERVER="<deployment_server>:8089" AGREETOLICENSE=Yes CERTFILE=<throwaway forwarder certificate>.pem CERTPASSWORD=<private key password> /quiet
This method will install Splunk Universal Forwarder, and add the certificate into $SPLUNK_HOME\etc\auth . However, after installation, it still uses the default Splunk certificate in $SPLUNK_HOME\etc\system\local\server.conf .
2) Deploy an app containing server.conf to the deployment clients
[sslConfig]
serverCert = $SPLUNK_HOME\etc\apps\ssl_app\cert\<throwaway forwarder certificate>.pem
sslPassword = <private key password>
sslVersions = tls
I understand this method does not work, as the configuration in $SPLUNK_HOME\etc\system\local\server.conf will replace any configuration done in the app.
May I know the following:
a) What is the best way to configure Splunk Universal Forwarders to use a self-signed certificate for splunkd during installation?
b) What is the best way to configure Splunk Universal Forwarders to use a self-signed certificate for splunkd after installation?
Thanks!
... View more