topic Re: How to edit my configuration to add SSL on forwarders with self signed certificates? in Getting Data In

How to edit my configuration to add SSL on forwarders with self signed certificates?

chrisduimstra — Thu, 09 Jun 2016 20:33:22 GMT

I am working on adding SSL on forwarders with self signed certificates.

Here is the /etc/system/local/outputs.conf

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = xx.xx.x.xxx:9997
compressed = true

[tcpout-server://xx.xx.x.xxx:9997]
sslRootCAPath = C:\"Program Files"\SplunkUniversalForwarder\etc\certs\myCACertificate.pem
sslCertPath = C:\"Program Files"\SplunkUniversalForwarder\etc\certs\myNewServerCertificate.pem
sslPassword = <encrypted pass>

Here is the working /etc/system/local/outputs.conf before starting the SSL process.

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = xx.xx.x.xxx:9997

[tcpout-server://xx.xx.x.xxx:9997]

Also made the following changes to etc/system/local/server.conf

[sslConfig]
allowSslCompression = false
allowSslRenegotiation = false
sslKeysfilePassword = <encrypted pass>
sslVersions = tls1.1, tls1.2
sslVersionsForClient = tls1.1, tls1.2
caPath = C:\"Program Files"\SplunkUniversalForwarder\etc\certs

I enabled debug in the splunkd log and pulled out what I believe to be relevant lines.

DEBUG TcpOutputProc - Key file password requires decrypting
DEBUG TcpOutputProc - A value for 'sslVersions' is not present, defaulting to SSL3 and above
ERROR SSLCommon - Can't read certificate file C:\"Program Files"\SplunkUniversalForwarder\etc\certs\myNewServerCertificate.pem errno=33558651 error:0200107B:system library:fopen:Unknown error

Re: How to edit my configuration to add SSL on forwarders with self signed certificates?

skalliger — Tue, 15 Nov 2016 09:30:10 GMT

Hi, we got the same error message saying:

ERROR SSLCommon - Can't read certificate file "C:\Program Files\SplunkUniversalForwarder\etc\auth\complete_server_client_cert.pem" errno=33558651 error:0200107B:system library:fopen:Unknown error

What is the correct way to determine the path to sslCertPath and sslRootCAPath? Can't find any solution in the web.
Our universal forwarder is trying to forward data to a heavy forwarder. Without ssl being enabled, this just works fine.

Anyone got an idea?

Skalli

Re: How to edit my configuration to add SSL on forwarders with self signed certificates?

skalliger — Tue, 15 Nov 2016 12:54:03 GMT

Alright, found the problem myself. Even if it's a Windows system, you are not allowed to escape the path (using " "). So in OP's case he would need to modify his path from:

C:\"Program Files"\SplunkUniversalForwarder\etc\certs

to:

C:\Program Files\SplunkUniversalForwarder\etc\certs

We had another problem after this but that was another point.

Skalli

P.S.: Just make sure if you use useClientSSLCompression in your outputs.conf, it also must be specified in your inputs.conf (compression = true) on the receiving end or no connection will be possible. That was the following problem.