<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: SSL Certs and verification in Security</title>
    <link>https://community.splunk.com/t5/Security/SSL-Certs-and-verification/m-p/447361#M10481</link>
    <description>&lt;P&gt;@edwardrose, &lt;/P&gt;

&lt;P&gt;I dont think it will be problem. If you are sending data outside Splunk then the configuration will be there in outputs.conf and we are not specifying any ssl use there.&lt;/P&gt;</description>
    <pubDate>Thu, 07 Feb 2019 07:32:38 GMT</pubDate>
    <dc:creator>vishaltaneja070</dc:creator>
    <dc:date>2019-02-07T07:32:38Z</dc:date>
    <item>
      <title>SSL Certs and verification</title>
      <link>https://community.splunk.com/t5/Security/SSL-Certs-and-verification/m-p/447360#M10480</link>
      <description>&lt;P&gt;Hello All&lt;/P&gt;

&lt;P&gt;I have the following configuration that I would like to see work if possible.  A server in the DMZ setup as an intermediary to capture logs from devices in AWS being transported over the internet.  Could one possibly have the following setup:&lt;/P&gt;

&lt;P&gt;AWS universal forwarder 3rd party cert &lt;BR /&gt;
server.conf:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[sslConfig]
sslRootCAPath = $SPLUNK_HOME/etc/auth/3rdpartycert/cacert.pem
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;outputs.conf&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[tcpout]

[tcpout:dmz_fwd]
server = dmz-fwder.example.org:9997
disable = 0
clientCert = $SPLUNK_HOME/etc/auth/3rdpartycert/client.pem
useClientSSLCompression = true
sslPassword = &amp;lt;blah&amp;gt;
sslCommonNameToCheck = dmz-fwder.example.org
sslVerifyServerCert = true 
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;DMZ Host 3rd party Cert and Splunk Cert&lt;BR /&gt;
inputs.conf:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[splunktcp-ssl:9997]
disabled = 0

[SSL]
serverCert = $SPLUNK_HOME/etc/auth/3rdpartycert/server.pem
sslPassword = password
requireClientCert = True
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;server.conf&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[sslConfig]
sslRootCAPath = /opt/splunk/etc/auth/3rdpartycert/cacert.pem
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Then the DMZ host would use the default certs and default SSL configuration to send the data into a secure network on our intranet.  I am not sure it will work as due to the fact the server.conf on the DMZ host will have a conflict between the 3rd party cert and the Splunk out of the box cert.  &lt;/P&gt;

&lt;P&gt;server.conf required for default certs&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[sslConfig]
sslRootCAPath = /opt/splunk/etc/auth/cacert.pem
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Thoughts?&lt;/P&gt;

&lt;P&gt;Thanks in advance&lt;/P&gt;</description>
      <pubDate>Wed, 06 Feb 2019 21:33:16 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Security/SSL-Certs-and-verification/m-p/447360#M10480</guid>
      <dc:creator>edwardrose</dc:creator>
      <dc:date>2019-02-06T21:33:16Z</dc:date>
    </item>
    <item>
      <title>Re: SSL Certs and verification</title>
      <link>https://community.splunk.com/t5/Security/SSL-Certs-and-verification/m-p/447361#M10481</link>
      <description>&lt;P&gt;@edwardrose, &lt;/P&gt;

&lt;P&gt;I dont think it will be problem. If you are sending data outside Splunk then the configuration will be there in outputs.conf and we are not specifying any ssl use there.&lt;/P&gt;</description>
      <pubDate>Thu, 07 Feb 2019 07:32:38 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Security/SSL-Certs-and-verification/m-p/447361#M10481</guid>
      <dc:creator>vishaltaneja070</dc:creator>
      <dc:date>2019-02-07T07:32:38Z</dc:date>
    </item>
  </channel>
</rss>

