topic Additional SSL Verification in Security https://community.splunk.com/t5/Security/Additional-SSL-Verification/m-p/462060#M10743 <P>Hey everyone.<BR />First time SSL setup (IDX &amp; UF both v8.x) and cert creation (never done before). Had a question about verifying if things worked. I walked through splunk docs and got to the point of verifying connection.</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Validateyourconfiguration" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Validateyourconfiguration</A></P> <PRE><CODE>On my IDX i can run: index=_internal source=*metrics.log* group=tcpin_connections | dedup hostname | table _time hostname version sourceIp destPort ssl </CODE></PRE> <P>I do get expected result returned port (9998) and SSL = true.<BR />BUT this was the only part of the instructions that i could follow to verify SSL items. I can't find anything else within Splunkd or index=_* referencing what is being mentioned in the validating procedures for the UF portion. I can see that the UF has the following output in splunkd "Connected to idx=10.202.20.229:9998". This UF is only setup to forward to the one server over port 9998.</P> <P>The next steps i followed where on this page <A href="https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Troubleshootyouforwardertoindexerauthentication" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Troubleshootyouforwardertoindexerauthentication</A></P> <PRE><CODE>openssl s_client -connect &lt;server&gt;:&lt;port&gt; </CODE></PRE> <P>and the expected output mentioned Verify return code: 0 (ok) was instead returning code: 18 (self signed certificate).<BR />Then on the UF i attempted to monitor a random log file that i update. On the main Splunk server i can see the data come in.<BR />I'm just second guessing if i did things correctly given i wasn't able to validate internal Splunk logs.</P> <P>UF</P> <PRE><CODE>server.conf [sslConfig] sslRootCAPath = /opt/splunkforwarder/etc/auth/myCerts/myCACertificate.pem sslPassword = &lt;with pass here&gt; outputs.conf [SSL] [tcpout] defaultGroup = group1 [tcpout:group1] server = 10.202.20.229:9998 disabled = 0 clientCert = /opt/splunkforwarder/etc/auth/myCerts/myNewSplunkForwarderCert.pem useClientSSLCompression = true sslPassword = &lt;with pass here&gt; </CODE></PRE> <P>IDX</P> <PRE><CODE>inputs.conf [splunktcp-ssl:9998] disabled = 0 [SSL] serverCert = /opt/splunk/etc/auth/myCerts/myNewSplunkIndexerCert.pem sslPassword = &lt;with pass here&gt; requireClientCert = "true" server.conf [sslConfig] sslRootCAPath = /opt/splunk/etc/auth/myCerts/myCACertificate.pem sslPassword = &lt;with pass here&gt; </CODE></PRE> Sun, 07 Jun 2020 18:01:02 GMT v_trilo 2020-06-07T18:01:02Z Additional SSL Verification https://community.splunk.com/t5/Security/Additional-SSL-Verification/m-p/462060#M10743 <P>Hey everyone.<BR />First time SSL setup (IDX &amp; UF both v8.x) and cert creation (never done before). Had a question about verifying if things worked. I walked through splunk docs and got to the point of verifying connection.</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Validateyourconfiguration" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Validateyourconfiguration</A></P> <PRE><CODE>On my IDX i can run: index=_internal source=*metrics.log* group=tcpin_connections | dedup hostname | table _time hostname version sourceIp destPort ssl </CODE></PRE> <P>I do get expected result returned port (9998) and SSL = true.<BR />BUT this was the only part of the instructions that i could follow to verify SSL items. I can't find anything else within Splunkd or index=_* referencing what is being mentioned in the validating procedures for the UF portion. I can see that the UF has the following output in splunkd "Connected to idx=10.202.20.229:9998". This UF is only setup to forward to the one server over port 9998.</P> <P>The next steps i followed where on this page <A href="https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Troubleshootyouforwardertoindexerauthentication" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Troubleshootyouforwardertoindexerauthentication</A></P> <PRE><CODE>openssl s_client -connect &lt;server&gt;:&lt;port&gt; </CODE></PRE> <P>and the expected output mentioned Verify return code: 0 (ok) was instead returning code: 18 (self signed certificate).<BR />Then on the UF i attempted to monitor a random log file that i update. On the main Splunk server i can see the data come in.<BR />I'm just second guessing if i did things correctly given i wasn't able to validate internal Splunk logs.</P> <P>UF</P> <PRE><CODE>server.conf [sslConfig] sslRootCAPath = /opt/splunkforwarder/etc/auth/myCerts/myCACertificate.pem sslPassword = &lt;with pass here&gt; outputs.conf [SSL] [tcpout] defaultGroup = group1 [tcpout:group1] server = 10.202.20.229:9998 disabled = 0 clientCert = /opt/splunkforwarder/etc/auth/myCerts/myNewSplunkForwarderCert.pem useClientSSLCompression = true sslPassword = &lt;with pass here&gt; </CODE></PRE> <P>IDX</P> <PRE><CODE>inputs.conf [splunktcp-ssl:9998] disabled = 0 [SSL] serverCert = /opt/splunk/etc/auth/myCerts/myNewSplunkIndexerCert.pem sslPassword = &lt;with pass here&gt; requireClientCert = "true" server.conf [sslConfig] sslRootCAPath = /opt/splunk/etc/auth/myCerts/myCACertificate.pem sslPassword = &lt;with pass here&gt; </CODE></PRE> Sun, 07 Jun 2020 18:01:02 GMT https://community.splunk.com/t5/Security/Additional-SSL-Verification/m-p/462060#M10743 v_trilo 2020-06-07T18:01:02Z