In this video, we’re going to configure pxGrid on Splunk. Once that’s completed, you’ll be able to quarantine endpoints from Splunk using ISE. This requires a bit more setup that your usual pxGrid configuration so I’ll include the commands I used in this post so one may copy and paste for the Linux portion of this. Whether or not you’re using CA-signed certs for pxGrid or self-signed in your ISE environment, this configuration should work for both.
BIG shoutout to my co-worker John Eppich who helped me out with the workflow part of this video. He’s the one who writes all the official pxGrid guides and is an awesome guy.
Concatenating the ISE certificates:
cat CertificateServicesEndpointSubCA-ise_.cer CertificateServicesRootCA-ise_.cer CertificateServicesNodeCA-ise_.cer securitydemo-AD1-CA_.cer > CA1.cer
Creating the mac.p12 file:
openssl pkcs12 -export -out mac.p12 -inkey splunk_10.1.100.20.key -in splunk_10.1.100.20.cer -chain -CAfile CA1.cer
Changing the keystore type:
keytool -importkeystore -srckeystore mac.jks -destkeystore mac.jks -deststoretype pkcs12
Creating the “mac” Java keystore:
keytool -importkeystore -srckeystore mac.p12 -destkeystore mac.jks -srcstoretype PKCS12
Changing the combined cert format:
openssl x509 -outform der -in CA1.cer -out CA1.der
Creating the new caroot1.jks keystore and importing the new combined cert into it:
keytool -import -alias CAroot -keystore caroot1.jks -file CA1.der
Importing the pxGrid client certificate into the mac.jks keystore:
keytool -import -alias splunk -keystore mac.jks -file splunk_10.1.100.20.cer
Importing the new combined cert into the mac.jks keystore:
keytool -import -alias CAroot -keystore mac.jks -file CA1.cer
Importing the ISE Certificate Services Root CA cert into the caroot1.jks keystore:
keytool -import -alias cert1 -keystore caroot1.jks -file CertificateServicesRootCA-ise_.cer
Importing the Active Directory root cert into the caroot1.jks keystore:
keytool -import -alias cert2 -keystore caroot1.jks -file securitydemo-AD1-CA_.cer
Moving both files to the appropriate Splunk ISE app directory:
mv ./mac.jks /opt/splunk/etc/apps/Splunk_TA_cisco-ise/bin/certs/mac.jks
mv ./caroot1.jks /opt/splunk/etc/apps/Splunk_TA_cisco-ise/bin/certs/caroot1.jks
Testing keystores with pxGrid using a buildin script:
java -jar /opt/splunk/etc/apps/Splunk_TA_cisco-ise/bin/lib/pxGrid_Search.jar 10.1.100.21 splunktest /opt/splunk/etc/apps/Splunk_TA_cisco-ise/bin/certs/mac.jks ISEisC00L /opt/splunk/etc/apps/Splunk_TA_cisco-ise/bin/certs/caroot1.jks ISEisC00L 192.168.1.10 quarantine_ip
The format for the above is:
java -jar /opt/splunk/etc/apps/Splunk_TA_cisco-ise/bin/lib/pxGrid_Search.jar ise-ip-address pick-a-test-name /opt/splunk/etc/apps/Splunk_TA_cisco-ise/bin/certs/mac.jks keystore-password /opt/splunk/etc/apps/Splunk_TA_cisco-ise/bin/certs/caroot1.jks keystore-password pick-any-ip-address quarantine_ip