https://community.splunk.com/t5/Security/inputs-conf-requireClientCert-being-ignored/m-p/363273#M9088 <P>So I have been trying to get a solution where you do not need to have an SSL certificate on a universal forwarder for sending data base to Splunk on port 9997. However I can't seem to get it to work.</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Inputsconf">https://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Inputsconf</A><BR /> and<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Outputsconf">https://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Outputsconf</A></P> <P>This from the inputs.conf seems to indicate by default you do not need to have a SSL certificate on the forwarder at all</P> <PRE><CODE>requireClientCert = &lt;bool&gt; * Determines whether a client must present an SSL certificate to authenticate. * Full path to the root CA (Certificate Authority) certificate store. * The &lt;path&gt; must refer to a PEM format file containing one or more root CA certificates concatenated together. * Defaults to false. </CODE></PRE> <P>My working conf with SSL certs on both ends.</P> <P><STRONG>inputs.conf</STRONG></P> <PRE><CODE>############################### # Encrypted receiver ############################### # Ref : <A href="http://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureSplunkforwardingtousethedefaultcertificate" target="test_blank">http://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureSplunkforwardingtousethedefaultcertificate</A> # Ref : <A href="http://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureSplunkforwardingtousesignedcertificates" target="test_blank">http://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureSplunkforwardingtousesignedcertificates</A> [splunktcp-ssl:9997] disabled = 0 # requireClientCert = false ############# # IMPORTANT: If this configuration is placed within an local/inputs.conf in an app the password will not be encrypted. # If you require encryption the inputs.conf definitions must be in $SPLUNK_HOME/system/local/inputs.conf [SSL] serverCert = $SPLUNK_HOME/etc/apps/cfgd_ssl_certs_servers/auth/myFullIndexerMediaCertificate.pem sslPassword = ************* </CODE></PRE> <P><STRONG>outputs.conf</STRONG></P> <PRE><CODE># <A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf" target="test_blank">http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf</A> [tcpout] defaultGroup = indexers indexAndForward = false [tcpout:indexers] server = 192.168.55.55:9997 # IMPORTANT: Ensure indexer is also configured <A href="http://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureSplunkforwardingtousethedefaultcertificate" target="test_blank">http://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureSplunkforwardingtousethedefaultcertificate</A> a configuration app is also available for that. sslCertPath = $SPLUNK_HOME/etc/apps/cfgd_fwd_to_idx_ssl/auth/myFullForwarderCertificate.pem sslPassword = ******* sslVerifyServerCert = false # sslCommonNameToCheck = indexer.mydomain.com # While compression should not add too much overhead if there are performance issues this could be disabled to see if this alieviates the problem. useClientSSLCompression = true </CODE></PRE> <P>Now trying this next configuration does not work. If I try to use the requireClientCert set to false (even though it defaults to false) I never see any data from the forwarder.</P> <P><STRONG>inputs.conf</STRONG></P> <PRE><CODE>############################### # Encrypted receiver ############################### # Ref : <A href="http://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureSplunkforwardingtousethedefaultcertificate" target="test_blank">http://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureSplunkforwardingtousethedefaultcertificate</A> # Ref : <A href="http://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureSplunkforwardingtousesignedcertificates" target="test_blank">http://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureSplunkforwardingtousesignedcertificates</A> [splunktcp-ssl:9997] disabled = 0 requireClientCert = false ############# # IMPORTANT: If this configuration is placed within an local/inputs.conf in an app the password will not be encrypted. # If you require encryption the inputs.conf definitions must be in $SPLUNK_HOME/system/local/inputs.conf [SSL] serverCert = $SPLUNK_HOME/etc/apps/cfgd_ssl_certs_servers/auth/myFullIndexerMediaCertificate.pem sslPassword = *********** </CODE></PRE> <P><STRONG>outputs.conf</STRONG></P> <PRE><CODE># <A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf" target="test_blank">http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf</A> [tcpout] defaultGroup = indexers indexAndForward = false [tcpout:indexers] server = 192.168.55.55:9997 # IMPORTANT: Ensure indexer is also configured <A href="http://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureSplunkforwardingtousethedefaultcertificate" target="test_blank">http://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureSplunkforwardingtousethedefaultcertificate</A> a configuration app is also available for that. sslVerifyServerCert = false # sslCommonNameToCheck = indexer.mydomain.com # While compression should not add too much overhead if there are performance issues this could be disabled to see if this alieviates the problem. useClientSSLCompression = true </CODE></PRE> <P>So the takeaway here is what does the requireClientCert do if it doesn't work when a forwarder contacts the server without a certificate?</P> Fri, 23 Jun 2017 05:43:12 GMT phoenixdigital 2017-06-23T05:43:12Z https://community.splunk.com/t5/Security/inputs-conf-requireClientCert-being-ignored/m-p/363273#M9088 <P>So I have been trying to get a solution where you do not need to have an SSL certificate on a universal forwarder for sending data base to Splunk on port 9997. However I can't seem to get it to work.</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Inputsconf">https://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Inputsconf</A><BR /> and<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Outputsconf">https://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Outputsconf</A></P> <P>This from the inputs.conf seems to indicate by default you do not need to have a SSL certificate on the forwarder at all</P> <PRE><CODE>requireClientCert = &lt;bool&gt; * Determines whether a client must present an SSL certificate to authenticate. * Full path to the root CA (Certificate Authority) certificate store. * The &lt;path&gt; must refer to a PEM format file containing one or more root CA certificates concatenated together. * Defaults to false. </CODE></PRE> <P>My working conf with SSL certs on both ends.</P> <P><STRONG>inputs.conf</STRONG></P> <PRE><CODE>############################### # Encrypted receiver ############################### # Ref : <A href="http://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureSplunkforwardingtousethedefaultcertificate" target="test_blank">http://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureSplunkforwardingtousethedefaultcertificate</A> # Ref : <A href="http://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureSplunkforwardingtousesignedcertificates" target="test_blank">http://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureSplunkforwardingtousesignedcertificates</A> [splunktcp-ssl:9997] disabled = 0 # requireClientCert = false ############# # IMPORTANT: If this configuration is placed within an local/inputs.conf in an app the password will not be encrypted. # If you require encryption the inputs.conf definitions must be in $SPLUNK_HOME/system/local/inputs.conf [SSL] serverCert = $SPLUNK_HOME/etc/apps/cfgd_ssl_certs_servers/auth/myFullIndexerMediaCertificate.pem sslPassword = ************* </CODE></PRE> <P><STRONG>outputs.conf</STRONG></P> <PRE><CODE># <A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf" target="test_blank">http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf</A> [tcpout] defaultGroup = indexers indexAndForward = false [tcpout:indexers] server = 192.168.55.55:9997 # IMPORTANT: Ensure indexer is also configured <A href="http://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureSplunkforwardingtousethedefaultcertificate" target="test_blank">http://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureSplunkforwardingtousethedefaultcertificate</A> a configuration app is also available for that. sslCertPath = $SPLUNK_HOME/etc/apps/cfgd_fwd_to_idx_ssl/auth/myFullForwarderCertificate.pem sslPassword = ******* sslVerifyServerCert = false # sslCommonNameToCheck = indexer.mydomain.com # While compression should not add too much overhead if there are performance issues this could be disabled to see if this alieviates the problem. useClientSSLCompression = true </CODE></PRE> <P>Now trying this next configuration does not work. If I try to use the requireClientCert set to false (even though it defaults to false) I never see any data from the forwarder.</P> <P><STRONG>inputs.conf</STRONG></P> <PRE><CODE>############################### # Encrypted receiver ############################### # Ref : <A href="http://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureSplunkforwardingtousethedefaultcertificate" target="test_blank">http://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureSplunkforwardingtousethedefaultcertificate</A> # Ref : <A href="http://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureSplunkforwardingtousesignedcertificates" target="test_blank">http://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureSplunkforwardingtousesignedcertificates</A> [splunktcp-ssl:9997] disabled = 0 requireClientCert = false ############# # IMPORTANT: If this configuration is placed within an local/inputs.conf in an app the password will not be encrypted. # If you require encryption the inputs.conf definitions must be in $SPLUNK_HOME/system/local/inputs.conf [SSL] serverCert = $SPLUNK_HOME/etc/apps/cfgd_ssl_certs_servers/auth/myFullIndexerMediaCertificate.pem sslPassword = *********** </CODE></PRE> <P><STRONG>outputs.conf</STRONG></P> <PRE><CODE># <A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf" target="test_blank">http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf</A> [tcpout] defaultGroup = indexers indexAndForward = false [tcpout:indexers] server = 192.168.55.55:9997 # IMPORTANT: Ensure indexer is also configured <A href="http://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureSplunkforwardingtousethedefaultcertificate" target="test_blank">http://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureSplunkforwardingtousethedefaultcertificate</A> a configuration app is also available for that. sslVerifyServerCert = false # sslCommonNameToCheck = indexer.mydomain.com # While compression should not add too much overhead if there are performance issues this could be disabled to see if this alieviates the problem. useClientSSLCompression = true </CODE></PRE> <P>So the takeaway here is what does the requireClientCert do if it doesn't work when a forwarder contacts the server without a certificate?</P> Fri, 23 Jun 2017 05:43:12 GMT https://community.splunk.com/t5/Security/inputs-conf-requireClientCert-being-ignored/m-p/363273#M9088 phoenixdigital 2017-06-23T05:43:12Z https://community.splunk.com/t5/Security/inputs-conf-requireClientCert-being-ignored/m-p/363274#M9089 <P>well, yes, on the inputs.conf examples also, they say "false" and specify both certificates. <BR /> the splunk SSL documentation very confusing one.</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Inputsconf" target="_blank">https://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Inputsconf</A><BR /> [SSL]<BR /> serverCert=$SPLUNK_HOME/etc/auth/server.pem<BR /> password=password<BR /> rootCA=$SPLUNK_HOME/etc/auth/cacert.pem<BR /> requireClientCert=false</P> <P>Please check this, incase if you have read it already - <BR /> IMPORTANT NOTE ABOUT "requireClientCert" :</P> <P>As of Splunk 4.2.4, setting "requireClientCert = true" in the indexer's inputs.conf will cause forwarding to fail! A bug (SPL-37637) is currently open to address this issue. In the meantime, keep requireClientCert set to "false". </P> <P>We have set "requireClientCert = true". This requires the following conditions to be met : </P> <P>a) "rootCA" must point to a file containing the CA's public key. In our example, it's the myCACertificate.pem file we generated in step 1.<BR /> b) The forwarder's server certificate defined by "sslCertPath" in outputs.conf (see step 4) is signed by that CA.<BR /> c) The forwarder has the password to read his own certificate ("sslPassword" in outputs.conf, as defined in step 4). This password is "server_privkey_password" in our example.</P> <P><A href="https://wiki.splunk.com/Community:Splunk2Splunk_SSL_SelfSignedCert_NewRootCA" target="_blank">https://wiki.splunk.com/Community:Splunk2Splunk_SSL_SelfSignedCert_NewRootCA</A></P> <P>The purpose of this setup is to ensure that only forwarders that you have distributed a signed certificate to can connect to this indexer. </P> Tue, 29 Sep 2020 14:34:06 GMT https://community.splunk.com/t5/Security/inputs-conf-requireClientCert-being-ignored/m-p/363274#M9089 inventsekar 2020-09-29T14:34:06Z https://community.splunk.com/t5/Security/inputs-conf-requireClientCert-being-ignored/m-p/363275#M9090 <P>Granted I can see why it would be a safe guaranteed way to stop a imposter forwarder from sending in data.</P> <P>That said though it appears Splunk is completely ignoring the requireClientCert because even when I set it to false it still doesn't work.</P> Fri, 23 Jun 2017 08:22:26 GMT https://community.splunk.com/t5/Security/inputs-conf-requireClientCert-being-ignored/m-p/363275#M9090 phoenixdigital 2017-06-23T08:22:26Z