Splunk® User Behavior Analytics Kafka Ingestion App

Splunk UBA Kafka Ingestion App

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure two-way SSL communication for Kafka data ingestion

Change from SASL authentication to two-way SSL authentication for communication between the indexers on your Splunk platform and Kafka in Splunk UBA.

You can only perform the following procedures in your Splunk Enterprise deployment as an on-prem customer. This configuration is not supported if you are using Splunk Cloud Platform.

Obtain a root CA

If you don't already have a certificate from a root certificate authority (CA), you can create a self-signed root certificate using OpenSSL. Include the number of days this certificate is considered valid and store the certificate key in a secure location.

You can skip step 1 of this process if you already have a root certificate authority (CA).

Perform the following steps to create a self-signed CA OpenSSL:

  1. Create a self-signed root certificate using OpenSSL:
    openssl req -new -x509 -keyout new-ca-key -out new-ca-cert -days <number of valid day>
  2. Retrieve the keystore location and keystore password from the /opt/caspida/conf/kafka/kafka.properties file:
    ssl.keystore.location=<keystore location>
    ssl.keystore.password=<keystore password>
  3. Move the current CA certificate out of the way. You will need to provide the keystore location and password you obtained in the previous step:
    keytool -keystore <keystore location> -storepass <keystore password> -alias caroot -changealias  -destalias "original-caroot"
  4. Import the new root certificate into the key store:
    keytool -keystore <keystore location> -storepass <keystore password> -alias CARoot -importcert -file new-ca-cert

Update certification configuration on each Kafka node

For each Kafka node in UBA, perform the following steps:

  1. Log into the node as the caspida user.
  2. Retrieve the keystore location and keystore password from the /opt/caspida/conf/kafka/kafka.properties file:
    ssl.keystore.location=<keystore location>
    ssl.keystore.password=<keystore password>
  3. Import the root CA into a new truststore:
    keytool -keystore /opt/caspida/conf/kafka/auth/server.truststore.jks -storepass <keystore password> -alias CARoot -importcert -file new-ca-cert
  4. Modify /opt/caspida/conf/kafka/kafka.properties as follows:
    1. Change the following line:
      listeners=PLAINTEXT://:9092,SASL_SSL://:9093

      To:

      listeners=PLAINTEXT://:9092,SSL://:9093
    2. Add the following lines:
      ssl.truststore.location=/opt/caspida/conf/kafka/auth/server.truststore.jks
      ssl.truststore.password=<keystore password>
      ssl.client.auth=required
  5. Restart Caspida:
    /opt/caspida/bin/Caspida stop-kafka
    /opt/caspida/bin/Caspida start-kafka

Configure your Splunk search heads

Create and configure the local/ubakafka.conf file on your search heads to override the default settings in the ubakafka.conf file.

Configure a single search head

Perform the following steps on your Splunk search head:

  1. Create a new client key:
    openssl genrsa -out client-key 4096
  2. Create a certificate request:
    openssl req -new -key client-key -out client-csr
  3. Create a client certificate with your root CA and certificate request. Include the number of days this certificate is considered valid.
    Store this in the bin/auth directory of the UBA Kafka Ingestion App.
    openssl x509 -req -CA new-ca-cert -CAkey new-ca-key -in client-csr -out client-cert -days <number of valid day> -CAcreateserial
  4. Create or update the local/ubakafka.conf file under the UBA Kafka Ingestion App root directory.
    [kafka]
    security_protocol = SSL
    ca_cert_file = new-ca-cert
    client_cert_file = client-cert
    client_key_file = client-key
    
  5. Restart Splunk. Run the following command from the $SPLUNK_HOME/bin directory:
    ./splunk restart

Configure a search head cluster

Perform the following steps to configure a search head cluster:

  1. Create a new client key:
    openssl genrsa -out client-key 4096
  2. Create a certificate request:
    openssl req -new -key client-key -out client-csr
  3. Create a client certificate with your root CA and certificate request. Include the number of days this certificate is considered valid.
    openssl x509 -req -CA new-ca-cert -CAkey new-ca-key -in client-csr -out client-cert -days <number of valid day> -CAcreateserial
  4. Copy the root CA, client key and client certificate to the bin/auth directory of the UBA Kafka Ingestion App of each search head.
  5. On the search head cluster deployer, create or update the local/ubakafka.conf file under the UBA Kafka Ingestion App root directory.
    [kafka]
    security_protocol = SSL
    ca_cert_file = new-ca-cert
    client_cert_file = client-cert
    client_key_file = client-key
  6. Push the bundle to the search head cluster.
    See Use the deployer to distribute apps and configuration updates in the Splunk Enterprise Distributed Search manual for more information about using the deployer to push configuration changes to search head cluster members.
Last modified on 01 March, 2022
PREVIOUS
Enable hostname verification for Kafka data ingestion
 

This documentation applies to the following versions of Splunk® User Behavior Analytics Kafka Ingestion App: 1.4.1, 1.4.2


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters