I picked, prepared, and pickled the onions in the space of one day. The onions were Barletta type (they have early maturity and are naturally small in size) and I used this recipe. I haven't eaten one yet (they need to mature for a few weeks) so I can't vouch that either of things are net positives!
The personal blog of Matt Buckley-Golder. Almost everything on this blog is wrong, but it's usually my best attempt at expressing the truth as I know it at the point in time I write it.
Tuesday, August 04, 2020
Homemade (and grown!) English-style pickled onions
English-style pickled onions in malt vinegar are an acquired taste, but I have firmly acquired it.
Monday, August 03, 2020
PowerShell and passing command-line arguments to external scripts
I like PowerShell a lot, but occasionally you run into something that seems mind-bendingly over-engineered. The simple act of calling an external script and passing command-line arguments to it is one of those things.
Which produces the expected output:
To avoid wasting any more of your time, here is the best way I have found to do it.
I will call the following Python script my_script.py from PowerShell, which simply prints out the arguments passed to Python:
import sys
for i in range(len(sys.argv)): print("my_script args: " + str(i) + ": " + str(sys.argv[i]))
The script is called from PowerShell by putting the Python command-line arguments into an array and passing them to the external script using the Splat operator.
# Put Python command-line arguments into an array
$cmd_args = @("c:\temp\my_script.py", "-f", "c:\myfile.txt", "-t", "5")
# Call the Python executable, supplying arguments using the Splat operator
& python.exe @cmd_args
my_script args: 0: c:\temp\my_script.pymy_script args: 1: -fmy_script args: 2: c:\myfile.txtmy_script args: 3: -tmy_script args: 4: 5
Splunk and the self-signed certificate on port 8089
I'm writing this post after finding a solution to this problem. Pieces of the solution were scattered around the web but I didn't find them all in one place.
Problem
Splunk's ports when accessed using SSL/TLS are by default protected with a self-signed certificate. Many Enterprises are beginning to scan for these cases and flagging them for remediation so that the encrypted communications are protected by a certificate signed by the Enterprise itself.
Using an alternate certificate for the Splunk web UI (port 8000 by default) is well-documented but I did not feel that it was documented well for the management port (port 8089 by default).
Solution
The solution has a few steps:
- Generate a Certificate Signing Request (CSR) and private key.
- Use the CSR to obtain a signed certificate from a Certificate Authority (CA)
- Obtain the Root CA certificate chain for the organization that provided the signed certificate
- Combined outputs of steps 1-3 as required by Splunk
- Configure Splunk to use the items in step 4
- Restart Splunk
Before going further, consider whether you need the management port to be enabled for Universal Forwarders (UF). It is not required for forwarder management from the web UI, nor for deployment apps. It is required for API or CLI communication with the UF. If you don't use these features then you can simple disable the port by putting the following in server.conf and restarting the UF.
[httpServer]
disableDefaultPort = true
However, if you want to leave the port open and protect it with your own certificate then read on.
And, unless you have changed the default configuration, Splunk KV stores on the same server will also be protected by the configuration applied in this post.
Step 1: Generate a Certificate Signing Request (CSR) and private key.
These steps will leave you with a CSR stored in server_conf.csr and a private key in server_conf.key
Linux
openssl req -out server_conf.csr -new -newkey rsa:2048 -keyout server_conf.key
Windows
REM SPLUNK_HOME is the root of your Splunk Enterprise installation
set SPLUNK_HOME="C:\Program Files\Splunk"
REM TMP will hold the generated private key and CSR filesset TMP=C:\TEMP
REM Generate the private key for the certificate.
%SPLUNK_HOME%\bin\splunk cmd openssl genrsa -des3 -out %TMP%\server_conf.key 2048
REM Generate the CSR request file%SPLUNK_HOME%\bin\splunk cmd openssl req -new -key %TMP%\server_conf.key -out %TMP%
\server_conf.csr
You should leave this step with two outputs:
- CSR file
- Private key
Step 2: Use the CSR to obtain a signed certificate from a Certificate Authority (CA)
Step 3: Obtain the Root CA certificate chain for the organization that provided the signed certificate
The method to accomplish Step 2 and 3 will vary by CA, but you will normally need to provide your CSR file as part of the process.
You should leave these steps with:
- CA-signed certificate provided by your CA
- Root CA and Intermediate CA certificates provided by your CA
Step 4: Combine outputs of steps 1-3 as required by Splunk
All of the files you have created so far are plaintext files. They need to be combined in specific ways:
- Root CA and Intermediate CA certificates combined into a single file (example: server_conf_root.pem)
- CA-signed certificate and private key (example: server_conf.pem)
By "combined", I literally mean to copy and paste the contents of the files you received into a single file, one after the other. The example filenames above will be used in subsequent steps.
Store the files in a location accessible by your Splunk installation that will not be affected by upgrades. For example, you may choose to create a directory like $SPLUNK_HOME/etc/auth/mycerts, giving you these files:
- $SPLUNK_HOME/etc/auth/mycerts/server_conf_root.pem
- $SPLUNK_HOME/etc/auth/mycerts/server_conf.pem
Step 5: Configure Splunk to use the items in step 4
Modify your server.conf file to include these attributes:
[sslConfig]enableSplunkdSSL = trueserverCert = /opt/splunk/etc/auth/mycerts/server_conf.pemsslRootCAPath = /opt/splunk/etc/auth/mycerts/server_conf_root.pemsslPassword = <key password entered during CSR creation>
Note that, when you restart Splunk in a subsequent step, the sslPassword value will be replaced with a hash of the value by Splunk. As long as everything is working you do not need to worry about it.
Step 6: Restart Splunk
This step hopefully does not need any elaboration!
After the restart, you can use a browser to access the management port (i.e. https://splunk.mycompany.com:8089) and confirm that it is using your CA-signed certificate using the browser's certificate inspection functionality.
Unless you have changed the default configuration, Splunk KV stores on the same server will also be protected by the configuration applied in this post.
Subscribe to:
Posts (Atom)