Appendix C: Enabling SSL between the universal forwarders and the Splunk indexers using your certificates
The procedure for enabling SSL between the universal forwarders and the Splunk indexers using your certificates is described below. In summary, the following steps are required:
Set the variable
splunk_ssl
toyes
ingroup_vars/all/vars
Put your root CA certificate and your server certificate files in
files/splunk/linux/SPLUNK_HOME/etc/mycerts
Uncomment the
[sslConfig]
stanza in the filefiles/splunk/linux/SPLUNK_HOME/etc/system/local/server.conf
Limitations
SSL only works with Linux worker nodes. The Universal Forwarders verify that the indexers they connect to have a certificate signed by the configured root CA and that the Common Name in the certificate presented by the indexer matches its FQDN as listed by the variable
splunk_architecture_forward_servers
.
Prerequisites
Configure your indexers to use SSL on port 9998. The following is an example inputs.conf
file located in $SPLUNK_HOME/etc/system/local
that enables SSL on port 9998 and configures the certificate file for use by the indexer itself, in this instance /opt/splunk/etc/mycerts/indexer.pem
.
[splunktcp-ssl://9998]
disabled=0
connection_host = ip
[SSL]
serverCert=/opt/splunk/etc/mycerts/indexer.pem
#requireClientCert = true
#sslAltNameToCheck = forwarder,forwarder.cloudra.local
[tcp://1514]
connection_host = dns
sourcetype = ucp
For more information, see the documentation at https://docs.splunk.com/Documentation/Splunk/7.1.2/Security/ConfigureSplunkforwardingtousesignedcertificates. In addition, you can see how to create your own certificates and the content of the file designated with serverCert
at http://docs.splunk.com/Documentation/Splunk/7.1.2/Security/Howtoself-signcertificates.
In this instance, the folder mycerts
was created under /opt/splunk/etc
and the file indexer.pem
was copied to this folder.
Indexers are configured with the Root CA cert used to sign all certificates. This can be achieved by editing the file server.conf
in $SPLUNK_HOME/etc/system/local
on your indexer(s). The following code block shows the relevant portion of this file where sssRootCaPath
is pointing to the root CA certificate.
[sslConfig]
sslRootCAPath = /opt/splunk/etc/mycerts/ca.pem
Note: In order to be able to download and install additional applications, you may want to append the file $SPLUNK_HOME/auth/appsCA.pem
to your ca.pem
file. If you don't do this, the Splunk UI will make this suggestion when you attempt to Find more apps
.
Splunk should be restarted on the indexers if you had to make these changes (see the Splunk documentation for more information).
Before you deploy
Generate the forwarder certificate and name it forwarder.pem
. Make sure that you copy the root CA certificate to ca.pem
Copy both the ca.pem
and the forwarder.pem
files to files/splunk/linux/SPLUNK_HOME/etc/mycerts/
(overwriting any existing files).
Edit the file server.conf
in the folder files/splunk/linux/SPLUNK_HOME/etc/system/local
and uncomment the last two lines as suggested in the file itself. Your file should look like this:
#
# uncomment the section below if you want to enable SSL
#
[sslConfig]
sslRootCAPath = /opt/splunkforwarder/etc/mycerts/ca.pem
Set splunk_ssl
to yes
in the file group_vars/all/vars
, uncommenting the line if required. Make sure that the splunk_architecture_forward_servers
list specifies all your indexers together with the port that was configured to accept SSL:
monitoring_stack: splunk
splunk_ssl: yes
splunk_architecture_forward_servers:
- indexer1.cloudra.local:9998
- indexer2.cloudra.local:9998
Hybrid environment Linux / Windows
Currently, you cannot deploy your own certificates for use by the Universal Forwarders deployed on Windows machines. If you want to have your Linux machines in a hybrid deployment to use SSL, proceed as follows.
Comment out the splunk_architecture_forward_servers
variable (and its values) from group_vars/all/vars
monitoring_stack: splunk
splunk_ssl: yes
#splunk_architecture_forward_servers:
# - hpe2-ansible.cloudra.local:9998
Create a file named vms.yml
in the folder group_vars
and specify the list of forward servers to use by the Linux servers. This list is typically the same as the one used for Windows servers but specifies a TCP port that enables SSL.
splunk_architecture_forward_servers:
- hpe2-ansible.cloudra.local:9998
Edit the group_vars/windows_box.yml
file and specify the list of forward servers to be used by the Windows servers. This list is typically the same as the one used for Linux servers but specifies a TCP port that does not enable SSL.
splunk_architecture_forward_servers:
- hpe2-ansible.cloudra.local:9997