https://community.splunk.com/t5/Security/Accepted-client-certificate-list-for-SSL-authentication/m-p/31482#M1050 <P>I'm trying to setup SSL to encrypt and authenticate communication between forwarders and indexers.<BR /> I haven't started yet, I'm going thru the documentation and preparing the certificates, everything seems to be straight forward, but there is one thing i could not figure out yet.</P> <P><STRONG>Is there a way to define a "whitelist" or list of accepted client certificates to be allowed to communicate to the Indexer ??</STRONG></P> <P>I see there are checks on the Forwarder to validate information is being pushed to the right Indexer, but i need to ensure validation on the other direction.<BR /> Thanks</P> Mon, 12 Nov 2012 21:32:28 GMT rjszuste 2012-11-12T21:32:28Z https://community.splunk.com/t5/Security/Accepted-client-certificate-list-for-SSL-authentication/m-p/31482#M1050 <P>I'm trying to setup SSL to encrypt and authenticate communication between forwarders and indexers.<BR /> I haven't started yet, I'm going thru the documentation and preparing the certificates, everything seems to be straight forward, but there is one thing i could not figure out yet.</P> <P><STRONG>Is there a way to define a "whitelist" or list of accepted client certificates to be allowed to communicate to the Indexer ??</STRONG></P> <P>I see there are checks on the Forwarder to validate information is being pushed to the right Indexer, but i need to ensure validation on the other direction.<BR /> Thanks</P> Mon, 12 Nov 2012 21:32:28 GMT https://community.splunk.com/t5/Security/Accepted-client-certificate-list-for-SSL-authentication/m-p/31482#M1050 rjszuste 2012-11-12T21:32:28Z https://community.splunk.com/t5/Security/Accepted-client-certificate-list-for-SSL-authentication/m-p/31483#M1051 <P>I am not sure exactly what you are looking to do. But no, a "whitelist" of Client certificates can not be defined. This is fine because the way that SSL works is:</P> <OL> <LI>Client request the server public cert</LI> <LI>Server sends its public cert</LI> <LI>Client sends its public cert and an initial public key which is created from the server public cert</LI> <LI>Client sends signature from private key</LI> <LI>Server verifies that the signature matches against the clients public cert</LI> <LI>Master key for encryption is generated for client and server that both can decrypt</LI> <LI>Connection is established</LI> </OL> <P>This is a very simplified explanation of what happens but it serves to show that a single key for intra-splunk communications is all that is needed for the same type of connection rather than a list of acceptable client certificates that you may want for a secure web page that can be accessed in a variety of ways by a variety of programs</P> <P>As to the second part of your question, what is the validation that you need from the indexer to the forwarder? If it is for the connection then the TCP protocol that is used handles that. If it is for data that is pushed to the forwarder then these would only be in the form of apps or configurations and not index data that would be sent and can be monitored and verified via the Deployment Monitor. </P> Wed, 14 Nov 2012 21:34:36 GMT https://community.splunk.com/t5/Security/Accepted-client-certificate-list-for-SSL-authentication/m-p/31483#M1051 Rob 2012-11-14T21:34:36Z https://community.splunk.com/t5/Security/Accepted-client-certificate-list-for-SSL-authentication/m-p/31484#M1052 <P>Is there no way to authenticate the Forwarders pushing logs ? Does the Indexer accept pushes from anyone ?<BR /> I was hoping the Indexer could accept or reject a client certificate based on the certificate subject, for example.</P> Mon, 19 Nov 2012 17:58:31 GMT https://community.splunk.com/t5/Security/Accepted-client-certificate-list-for-SSL-authentication/m-p/31484#M1052 rjszuste 2012-11-19T17:58:31Z