<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Windows Forwarder SSL Configuration in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Why-is-my-Windows-Forwarder-SSL-Configuration-not-forwarding/m-p/591358#M103579</link>
    <description>&lt;P&gt;So I have verified the indexer is listening on TCP 9998 and has my PKI certificate bound to it. I don't understand why the forwarder needs any client certificates to use SSL. I just want to ensure the data is forwarded over SSL. Why would I need a client certificate for this? I'm using deployment server to deploy my apps so I also don't want to specify the password for the client certificate private key in the outputs.conf.&amp;nbsp;&lt;/P&gt;</description>
    <pubDate>Tue, 29 Mar 2022 21:38:39 GMT</pubDate>
    <dc:creator>shocko</dc:creator>
    <dc:date>2022-03-29T21:38:39Z</dc:date>
    <item>
      <title>Why is my Windows Forwarder SSL Configuration not forwarding through?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-is-my-Windows-Forwarder-SSL-Configuration-not-forwarding/m-p/591237#M103561</link>
      <description>&lt;P&gt;I'm using Splunk Enterprise 8.2.5 on Windows (both indexers and Forwarders). I have modified &lt;STRONG&gt;inputs.conf&lt;/STRONG&gt; on the indexer as follows to referebce my PJI signed certificate/key pair:&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;FONT color="#800000"&gt;[splunktcp-ssl:9998]&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT color="#800000"&gt;disabled = 0&lt;/FONT&gt;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;FONT color="#800000"&gt;[SSL]&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT color="#800000"&gt;serverCert = C:\Program Files\Splunk\etc\auth\mycert\my.pem&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT color="#800000"&gt;sslPassword = mypassword&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT color="#800000"&gt;requireClientCert = false&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT color="#800000"&gt;sslVersions = *,-ssl2,-ssl3,-tls1.0,-tls1.1&lt;/FONT&gt;&lt;/P&gt;
&lt;P&gt;After service restart I see port 9998 listening on the indexer. I added the following config to the &lt;STRONG&gt;outputs.conf&lt;/STRONG&gt; of my forwarder:&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;FONT color="#800000"&gt;[tcpout:production]&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT color="#800000"&gt;server = myindexerfqdn:9998&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT color="#800000"&gt;useSSL = true&lt;/FONT&gt;&lt;/P&gt;
&lt;P&gt;No data is getting forwarded though and the following is raised in splunkd.log at the forwarder:&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;FONT color="#FF6600"&gt;03-29-2022 13:01:11.229 +0100 ERROR SSLCommon [37916 parsing] - Can't read certificate file errno=33558528 error:02001000:system library:fopen:system library&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT color="#FF6600"&gt;03-29-2022 13:01:11.229 +0100 ERROR TcpOutputProc [37916 parsing] - Error initializing SSL context - check splunkd.log regarding configuration error for server myindexerfqdn:9998&lt;/FONT&gt;&lt;/P&gt;
&lt;P&gt;What is the windows forwarder looking for? I set the indexer not to verify client certs but does the forwarder need a client certificate (self-signed or otherwise) generated regardless to use SSL ?&lt;/P&gt;</description>
      <pubDate>Tue, 29 Mar 2022 15:45:51 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-is-my-Windows-Forwarder-SSL-Configuration-not-forwarding/m-p/591237#M103561</guid>
      <dc:creator>shocko</dc:creator>
      <dc:date>2022-03-29T15:45:51Z</dc:date>
    </item>
    <item>
      <title>Re: Windows Forwarder SSL Configuration</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-is-my-Windows-Forwarder-SSL-Configuration-not-forwarding/m-p/591251#M103563</link>
      <description>&lt;P&gt;Your forwarder would need SSL certs and configurations as well to enable SSL communication with your SSL enabled indexer. This documentation will give you all the details:&amp;nbsp;&lt;A href="https://docs.splunk.com/Documentation/Splunk/8.2.5/Security/ConfigureSplunkforwardingtousesignedcertificates" target="_blank"&gt;https://docs.splunk.com/Documentation/Splunk/8.2.5/Security/ConfigureSplunkforwardingtousesignedcertificates&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Tue, 29 Mar 2022 12:59:03 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-is-my-Windows-Forwarder-SSL-Configuration-not-forwarding/m-p/591251#M103563</guid>
      <dc:creator>somesoni2</dc:creator>
      <dc:date>2022-03-29T12:59:03Z</dc:date>
    </item>
    <item>
      <title>Re: Windows Forwarder SSL Configuration</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-is-my-Windows-Forwarder-SSL-Configuration-not-forwarding/m-p/591271#M103565</link>
      <description>&lt;P&gt;Since I have told the indexer to ignore client certs what does the client need them for?&lt;/P&gt;</description>
      <pubDate>Tue, 29 Mar 2022 14:24:14 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-is-my-Windows-Forwarder-SSL-Configuration-not-forwarding/m-p/591271#M103565</guid>
      <dc:creator>shocko</dc:creator>
      <dc:date>2022-03-29T14:24:14Z</dc:date>
    </item>
    <item>
      <title>Re: Windows Forwarder SSL Configuration</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-is-my-Windows-Forwarder-SSL-Configuration-not-forwarding/m-p/591294#M103567</link>
      <description>&lt;P&gt;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/191266"&gt;@shocko&lt;/a&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;I had similar problems with my set up for SSL.&amp;nbsp;&lt;/P&gt;&lt;P&gt;Are you able to run the command:&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;&amp;gt;openssl.exe rsa -in "C:\Program Files\Splunk\etc\auth\mycert\my.pem" -text&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Try following the steps listed here if you haven't&lt;/P&gt;&lt;P&gt;&lt;A href="https://docs.splunk.com/Documentation/Splunk/8.2.5/Security/Troubleshootyouforwardertoindexerauthentication" target="_blank"&gt;https://docs.splunk.com/Documentation/Splunk/8.2.5/Security/Troubleshootyouforwardertoindexerauthentication&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Tue, 29 Mar 2022 15:40:16 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-is-my-Windows-Forwarder-SSL-Configuration-not-forwarding/m-p/591294#M103567</guid>
      <dc:creator>Stefanie</dc:creator>
      <dc:date>2022-03-29T15:40:16Z</dc:date>
    </item>
    <item>
      <title>Re: Windows Forwarder SSL Configuration</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-is-my-Windows-Forwarder-SSL-Configuration-not-forwarding/m-p/591358#M103579</link>
      <description>&lt;P&gt;So I have verified the indexer is listening on TCP 9998 and has my PKI certificate bound to it. I don't understand why the forwarder needs any client certificates to use SSL. I just want to ensure the data is forwarded over SSL. Why would I need a client certificate for this? I'm using deployment server to deploy my apps so I also don't want to specify the password for the client certificate private key in the outputs.conf.&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Tue, 29 Mar 2022 21:38:39 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-is-my-Windows-Forwarder-SSL-Configuration-not-forwarding/m-p/591358#M103579</guid>
      <dc:creator>shocko</dc:creator>
      <dc:date>2022-03-29T21:38:39Z</dc:date>
    </item>
    <item>
      <title>Re: Windows Forwarder SSL Configuration</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-is-my-Windows-Forwarder-SSL-Configuration-not-forwarding/m-p/591488#M103588</link>
      <description>&lt;BLOCKQUOTE&gt;&lt;HR /&gt;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/191266"&gt;@shocko&lt;/a&gt;&amp;nbsp;wrote:&lt;BR /&gt;&lt;P&gt;So I have verified the indexer is listening on TCP 9998 and has my PKI certificate bound to it. I don't understand why the forwarder needs any client certificates to use SSL. I just want to ensure the data is forwarded over SSL. Why would I need a client certificate for this?&amp;nbsp;&lt;/P&gt;&lt;HR /&gt;&lt;/BLOCKQUOTE&gt;&lt;P&gt;For the SSL connection to the indexers the forwarder requires &lt;EM&gt;a&lt;/EM&gt; certificate. The clientCert is used to "turn on" SSL connections. That's my assumption.&amp;nbsp;&lt;/P&gt;&lt;P&gt;You can use the certificate you created for your indexers to use on your forwarders.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;BLOCKQUOTE&gt;&lt;HR /&gt;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/191266"&gt;@shocko&lt;/a&gt;&amp;nbsp;wrote:&lt;BR /&gt;&lt;P&gt;I'm using deployment server to deploy my apps so I also don't want to specify the password for the client certificate private key in the outputs.conf.&amp;nbsp;&lt;/P&gt;&lt;HR /&gt;&lt;/BLOCKQUOTE&gt;&lt;P&gt;Splunk doesn't support setting up SSL certificates in apps for this very reason anymore. It took me a long time of trial and error before someone&amp;nbsp;@ Splunk told me this. You'll need to place your certificate somewhere in $SPLUNK_HOME/etc/auth/(folder) and your outputs.conf in $SPLUNK_HOME/etc/system/local&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Touching back on your error you received on the splunkd.log on your forwarder, if you restart the indexer do you see where your indexer is successfully accepting SSL? It might say something like&amp;nbsp;&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;port 9998 is reserved for splunk 2 splunk (SSL)&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Wed, 30 Mar 2022 12:29:54 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-is-my-Windows-Forwarder-SSL-Configuration-not-forwarding/m-p/591488#M103588</guid>
      <dc:creator>Stefanie</dc:creator>
      <dc:date>2022-03-30T12:29:54Z</dc:date>
    </item>
    <item>
      <title>Re: Windows Forwarder SSL Configuration</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-is-my-Windows-Forwarder-SSL-Configuration-not-forwarding/m-p/591594#M103600</link>
      <description>&lt;P&gt;So I &lt;FONT color="#339966"&gt;&lt;STRONG&gt;resolved&lt;/STRONG&gt; &lt;/FONT&gt;my specific issue as follows:&lt;BR /&gt;&lt;BR /&gt;Since my indexer is using a PKI signed certificate and that PKI has a Root CA and Issuing CA I had to add the Issuing CA public cert and Root CA to a .PEM file (in that order) and drop onto my forwarder&lt;/P&gt;&lt;P&gt;In outputs.conf I then reference it as follows:&lt;/P&gt;&lt;P class="lia-indent-padding-left-30px"&gt;&lt;FONT color="#339966"&gt;[tcpout:test-ssl-1]&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT color="#339966"&gt;disabled = 0&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT color="#339966"&gt;server = indexer1.mydomain.com:9998&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT color="#339966"&gt;useSSL = true&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT color="#339966"&gt;useClientSSLCompression = true&lt;/FONT&gt;&lt;/P&gt;&lt;P class="lia-indent-padding-left-30px"&gt;&lt;FONT color="#339966"&gt;sslVerifyServerCert = false&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT color="#339966"&gt;sslRootCAPath = C:\Program Files\SplunkUniversalForwarder\etc\auth\CA_Chain.pem&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;So I have a working setup with the indexer using a PKI signed certificate and the forwarder without defining any client certs. Even though &lt;STRONG&gt;sslVerifyServerCert&lt;/STRONG&gt; is set to false I still need to supply &lt;STRONG&gt;sslRootPath&lt;/STRONG&gt;. Again, I don't know why as it doesn't make sense to me &lt;span class="lia-unicode-emoji" title=":neutral_face:"&gt;😐&lt;/span&gt;&lt;BR /&gt;&lt;BR /&gt;&lt;STRONG&gt;My takeaways:&lt;/STRONG&gt;&lt;/P&gt;&lt;OL&gt;&lt;LI&gt;In order for the forwarder to ship events to the indexer over SSL a client certificate &lt;STRONG&gt;does not need be&lt;/STRONG&gt; defined on the forwarder outputs.conf files&lt;/LI&gt;&lt;LI&gt;The statement regarding the password for the client PEM file not being encrypted if it's defined n inputs.conf or outputs.conf outside of &lt;A href="https://docs.splunk.com/Documentation/Splunk/8.2.5/Security/ConfigureSplunkforwardingtousesignedcertificates" target="_blank" rel="noopener"&gt;/etc/system/local/&lt;/A&gt; does not appear to be true in 8.2.5 as my passwords are getting encrypted in those config files under the apps directory when the forwarder restarts&lt;/LI&gt;&lt;LI&gt;If you wish to verify the indexer cert and it is using a PKI then you must point the forwarder at a PEM file that contains all CAs in that chain from bottom to top&lt;/LI&gt;&lt;/OL&gt;</description>
      <pubDate>Wed, 30 Mar 2022 23:44:54 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-is-my-Windows-Forwarder-SSL-Configuration-not-forwarding/m-p/591594#M103600</guid>
      <dc:creator>shocko</dc:creator>
      <dc:date>2022-03-30T23:44:54Z</dc:date>
    </item>
  </channel>
</rss>

