Enable SSL verification for inter server communication #16
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
In order to regenerate the lookups especially the taglist on recreation the lookups folder is not shared.
gjanders
reviewed
Feb 12, 2021
Owner
gjanders
left a comment
gjanders
left a comment
There was a problem hiding this comment.
Overall this looks great, I just don't understand the places that have ", *," in the arguments to functions...
Owner
|
Thankyou very much for your contribution |
gjanders
added a commit
that referenced
this pull request
Feb 17, 2021
…sslVerify option to pass in the CA certificate file, or to leave SSL validation disabled In addition this pull request adds a requestingAddress which optionally controls the call-back ip when using the postversioncontrolrestore command Finally this pull requests adds scripts and a testing suite using docker Updated python SDK to 1.6.15 Minor fixes to the pull request
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
We would very much like to use the SplunkVersionControl app in our deployment.
In order to comply with our security policy all communication between servers has to be encrypted and verified using ssl certificates.
I created an additional setting to enable certificate verification.
In order to test the configuration I created a docker-compose and docker-splunk based environment in the
testsubfolder.SSL verification for localhost communication is still disabled.
I would appreciate your feedback on the topic and would be pleased if you could merge the changes and publish them in your splunkbase app (after some more review and testing).
Technical Details
My primary focus was on the distributed deployment where a monitoring console or other backup host stores snapshots of the knowledge objects from other hosts.
I focused on the dynamic restore as this is what we want to use.
Testing
In order to test use
docker-compose upin the test folder. This will create 3 containers. The first is only used to generate certificates.The second and third are actual splunk instances. One is configured as a single searchhead and the other as monitoring console. The monitoring console will be responsible for backing up and restoring the data.
In order to test the original functionality without ssl, the ssl settings in
test/sh_defaults.ymlandtest/bkp_defaults.ymlcan be removed.Backconnection
In order make the back-connection from rest_restore to the searchhead work, I had to add another url macro (
restoreAddress).Maybe this could be incorporated to the restore
input.conf.Validators
In order to validate the sslVerify setting I used the splunklib validators. If you think this too much code the validators could be replaced by a simple
distutils.util.strtoboolconversion and check.