Splunk® User Behavior Analytics

Administer Splunk User Behavior Analytics

Replace Job Manager certificate with a third-party certificate

To replace the Splunk UBA Job Manager certificate with a third-party certificate, complete the following steps on the management node (node 1):

  1. If UBA is running, stop UBA services using the following command:
    /opt/caspida/bin/Caspida stop
  2. Make a copy of /etc/caspida/conf/jobconf/keystore.jm for backup and place the copy in /home/caspida or another directory of your choosing:
    cp /etc/caspida/conf/jobconf/keystore.jm /home/caspida/keystore.jm
  3. Delete the current certificate stored in the Job Manager keystore:
    sudo keytool -delete -alias "jmserver" -keystore /etc/caspida/conf/jobconf/keystore.jm
  4. Bundle the certificate with the private key of the server into a PKCS#12 file:
    openssl pkcs12 -export -in certificate.pem -inkey private_key.pem -name jmserver -out generated_key.p12

    Replace certificate.pem with the path to the certificate. Replace private_key.pem with the path to the private key.

    Export password must be the same as the /etc/caspida/conf/jobconf/keystore.jm password of "password".

  5. Import the PKCS#12 file into the keystore for Job Manager:
    keytool -importkeystore -destkeystore <pre>/etc/caspida/conf/jobconf/keystore.jm -srckeystore generated_key.p12 -srcstoretype PKCS12

    When prompted for the password, use "password".

  6. Confirm that the certificate is imported correctly by reviewing the output of the following command. Look for the information of Issuer/Owner:
    sudo keytool -list -v -keystore /etc/caspida/conf/jobconf/keystore.jm
  7. Sync the cluster:
    /opt/caspida/bin/Caspida sync-cluster /etc/caspida/conf/jobconf/
  8. Restart UBA:
    /opt/caspida/bin/Caspida start
Last modified on 26 August, 2024
Change the IP address of your Docker containers   Send Splunk UBA data to Splunk Enterprise Security

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.4.0, 5.4.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters