Securing the data in motion from Cribl host to Splunk Indexer using TLS certs
A series of 4 blogs about Encrypting data in motion between Splunk and Cribl
In this third part of the blog series, we will utilize the generated TLS Certs/key for encrypting data in motion from the Cribl log source/client towards the Splunk indexer destination/server.
In case, you don't have the necessary TLS certification, you might want to ask internally within your enterprise IT security department or if you want to explore how we can utilize freely available service for the same, please visit the previous part of this blog series here.
On the high level this is what we are trying to do —
- Configuring the TLS certs settings in Cribl — Step 1
- Configuring the TLS certs settings in Splunk Enterprise — Steps 2, 3 & 4 as mentioned below
Step 1 — Defining the certificate and keys within the Cribl and configuring the Cribl destination to use them within TLS settings (client side).
On cribl, the cert & key pair are to be added.
The below picture details all the self-explanatory information.
This will look like the below once the above configs are saved and the mentioned cert is selected.
Step 2 — On the Cribl destination i.e. receiving indexer side, the private key and cert are staged in /opt/splunk/etc/auth/mycerts/ directory.
ca. pem = We have appended the intermediate CA cert and rootCA one after another to keep them together in one file, named ca.pem, and Staged this cert file within Splunk server CLI at /opt/splunk/etc/auth/mycerts/ directory.
Step 3 — We have to define this ca.cert file within Splunk’s server.conf
server.conf — This is where we define the address of chain of intermediate+rootCA cert called the ca.pem file present on the same host under the sslConfig stanza of server.conf file.
Step 4 —
inputs.conf — This is where we define the chain of serverCert+privateKey+intermediateCert+rootCAcert named as certkeycertchain.pem
Further reading — https://docs.splunk.com/Documentation/Splunk/9.1.1/Security/ConfigureSplunkforwardingtousesignedcertificates#Configure_TLS_certificates_for_indexers
Your comments and suggestions are welcomed.
