topic Re: Indexer/forwarder SSL communication / sslVerifyServerCert question in Security

Indexer/forwarder SSL communication / sslVerifyServerCert question

splunkreal — Fri, 09 Sep 2016 10:00:51 GMT

Hello, is it possible that Splunkforwarder still works if the cacert.pem on the indexer is expired and from different certificate authority? We have sslVerifyServerCert = false set on the fwd.

Thanks.

Re: Indexer/forwarder SSL communication / sslVerifyServerCert question

jkat54 — Fri, 09 Sep 2016 10:53:11 GMT

Yeah that should be fine as far as I know.

Re: Indexer/forwarder SSL communication / sslVerifyServerCert question

anand_singh17 — Thu, 25 May 2017 14:49:59 GMT

it is additional step for authenticating your splunk indexers. For example- If it FALSE, setup an indexer, add and define common certificate and configure to forward the event, it will start ingesting. In this case, certificates, verify, whether it is forwarding events/logs to correct indexers only, but based on certificates

You need to have two more configs need to be added in case, you want it to work,

output.conf, (splunk forwarder - DS client)
sslCommonNameToCheck= server.common.name.com.fqdn

between server to server
sslCommonNameList = splunk.servers.names.with.comma.for.all.making.communication, server1.com, server2.com

Always configure these config in last, as any communication break, can be rolled back, as this would be only check.