<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic SSL encryption and authentication between Heavy Forwarder and Indexer in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/SSL-encryption-and-authentication-between-Heavy-Forwarder-and/m-p/208915#M41139</link>
    <description>&lt;P&gt;Hello,&lt;/P&gt;

&lt;P&gt;I have a doubt  with respect to the below stanzas in Heavy forwarder and indexers. Will the below stanzas ensures SSL authentication only OR it will encrypt the communication as well? If it ensures encryption as well can you please put some light?&lt;/P&gt;

&lt;P&gt;outputs.conf in Heavy Forwarder&lt;/P&gt;

&lt;P&gt;[tcpout]&lt;BR /&gt;
defaultGroup = splunkssl&lt;/P&gt;

&lt;P&gt;[tcpout:splunkssl]&lt;BR /&gt;
server = 1.1.1.1:9997&lt;BR /&gt;
sslRootCAPath = $SPLUNK_HOME/etc/auth/mycerts/myCACertificate.pem&lt;BR /&gt;
sslCertPath = $SPLUNK_HOME/etc/auth/mycerts/myForwarderCertificate.pem&lt;BR /&gt;
sslPassword = $%^!@#%&lt;BR /&gt;
sslVerifyServerCert = true&lt;/P&gt;

&lt;H2&gt;sslCommonNameToCheck = xyz.abc&lt;/H2&gt;

&lt;P&gt;inputs.conf in Indexer&lt;/P&gt;

&lt;P&gt;[SSL]&lt;BR /&gt;
rootCA = $SPLUNK_HOME/etc/auth/mycerts/myCACertificate.pem&lt;BR /&gt;
serverCert = $SPLUNK_HOME/etc/auth/mycerts/myIndexerCertificate.pem&lt;BR /&gt;
password = &amp;amp;#^#$%&lt;BR /&gt;
requireClientCert = true&lt;/P&gt;

&lt;P&gt;[splunktcp-ssl:9997]&lt;BR /&gt;
compressed = true&lt;/P&gt;</description>
    <pubDate>Tue, 29 Sep 2020 10:29:59 GMT</pubDate>
    <dc:creator>splunk_kk</dc:creator>
    <dc:date>2020-09-29T10:29:59Z</dc:date>
    <item>
      <title>SSL encryption and authentication between Heavy Forwarder and Indexer</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/SSL-encryption-and-authentication-between-Heavy-Forwarder-and/m-p/208915#M41139</link>
      <description>&lt;P&gt;Hello,&lt;/P&gt;

&lt;P&gt;I have a doubt  with respect to the below stanzas in Heavy forwarder and indexers. Will the below stanzas ensures SSL authentication only OR it will encrypt the communication as well? If it ensures encryption as well can you please put some light?&lt;/P&gt;

&lt;P&gt;outputs.conf in Heavy Forwarder&lt;/P&gt;

&lt;P&gt;[tcpout]&lt;BR /&gt;
defaultGroup = splunkssl&lt;/P&gt;

&lt;P&gt;[tcpout:splunkssl]&lt;BR /&gt;
server = 1.1.1.1:9997&lt;BR /&gt;
sslRootCAPath = $SPLUNK_HOME/etc/auth/mycerts/myCACertificate.pem&lt;BR /&gt;
sslCertPath = $SPLUNK_HOME/etc/auth/mycerts/myForwarderCertificate.pem&lt;BR /&gt;
sslPassword = $%^!@#%&lt;BR /&gt;
sslVerifyServerCert = true&lt;/P&gt;

&lt;H2&gt;sslCommonNameToCheck = xyz.abc&lt;/H2&gt;

&lt;P&gt;inputs.conf in Indexer&lt;/P&gt;

&lt;P&gt;[SSL]&lt;BR /&gt;
rootCA = $SPLUNK_HOME/etc/auth/mycerts/myCACertificate.pem&lt;BR /&gt;
serverCert = $SPLUNK_HOME/etc/auth/mycerts/myIndexerCertificate.pem&lt;BR /&gt;
password = &amp;amp;#^#$%&lt;BR /&gt;
requireClientCert = true&lt;/P&gt;

&lt;P&gt;[splunktcp-ssl:9997]&lt;BR /&gt;
compressed = true&lt;/P&gt;</description>
      <pubDate>Tue, 29 Sep 2020 10:29:59 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/SSL-encryption-and-authentication-between-Heavy-Forwarder-and/m-p/208915#M41139</guid>
      <dc:creator>splunk_kk</dc:creator>
      <dc:date>2020-09-29T10:29:59Z</dc:date>
    </item>
    <item>
      <title>Re: SSL encryption and authentication between Heavy Forwarder and Indexer</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/SSL-encryption-and-authentication-between-Heavy-Forwarder-and/m-p/208916#M41140</link>
      <description>&lt;P&gt;Yes, data will be encrypted. If you check data packets by tcpdump or wireshark, you won't be able to see the data content. &lt;/P&gt;

&lt;P&gt;Splunk s2s(splunk to splunk, forwarder to indexer) SSL setting always enable SSL encryption.&lt;BR /&gt;
SSL Certificate Authentication is to validate CA authority and the Server's Common Name in the indexer's certificate by adding "sslVerifyServerCert" and "sslCommonNameToCheck"&lt;/P&gt;

&lt;P&gt;A few links related to this topic&lt;BR /&gt;
&lt;A href="http://docs.splunk.com/Documentation/Splunk/Latest/Security/AboutsecuringyourSplunkconfigurationwithSSL"&gt;http://docs.splunk.com/Documentation/Splunk/Latest/Security/AboutsecuringyourSplunkconfigurationwithSSL&lt;/A&gt;&lt;BR /&gt;
&lt;A href="http://docs.splunk.com/Documentation/Splunk/6.4.2/Security/Aboutsecuringdatafromforwarders"&gt;http://docs.splunk.com/Documentation/Splunk/6.4.2/Security/Aboutsecuringdatafromforwarders&lt;/A&gt;&lt;BR /&gt;
&lt;A href="http://docs.splunk.com/Documentation/Splunk/Latest/Admin/Outputsconf"&gt;http://docs.splunk.com/Documentation/Splunk/Latest/Admin/Outputsconf&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Thu, 04 Aug 2016 22:10:41 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/SSL-encryption-and-authentication-between-Heavy-Forwarder-and/m-p/208916#M41140</guid>
      <dc:creator>Masa</dc:creator>
      <dc:date>2016-08-04T22:10:41Z</dc:date>
    </item>
  </channel>
</rss>

