https://community.splunk.com/t5/Getting-Data-In/sslKeysfilePassword-not-working-in-a-deployed-forwarder-app/m-p/254767#M48941 <P>I've created some certificates to use with our forwarders to secure forwarded traffic. I've created an indexer_discovery app which contains outputs, a cert directory containing my certificate etc. but I've hit a snag...</P> <P>I also included app/local/server.conf with an [sslConfig] stanza containing the cert location, sslKeysfilePassword etc. but Splunk doesn't seem to read the password from this file. After a forwarder restart the password remains unencrypted and the forwarder can't decrypt the cert producing lots of errors in splunkd.log.</P> <P>The only workaround is to modify /opt/splunkforwarder/etc/system/local/server.conf and add [sslConfig] with the sslKeysfilePassword parameter. This means when we deploy the indexer discovery app we'll also need to login to each server to change the local server.conf file. </P> <P>Please tell me I'm doing it wrong <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 13 Jul 2016 14:11:16 GMT stepheneardley 2016-07-13T14:11:16Z https://community.splunk.com/t5/Getting-Data-In/sslKeysfilePassword-not-working-in-a-deployed-forwarder-app/m-p/254767#M48941 <P>I've created some certificates to use with our forwarders to secure forwarded traffic. I've created an indexer_discovery app which contains outputs, a cert directory containing my certificate etc. but I've hit a snag...</P> <P>I also included app/local/server.conf with an [sslConfig] stanza containing the cert location, sslKeysfilePassword etc. but Splunk doesn't seem to read the password from this file. After a forwarder restart the password remains unencrypted and the forwarder can't decrypt the cert producing lots of errors in splunkd.log.</P> <P>The only workaround is to modify /opt/splunkforwarder/etc/system/local/server.conf and add [sslConfig] with the sslKeysfilePassword parameter. This means when we deploy the indexer discovery app we'll also need to login to each server to change the local server.conf file. </P> <P>Please tell me I'm doing it wrong <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 13 Jul 2016 14:11:16 GMT https://community.splunk.com/t5/Getting-Data-In/sslKeysfilePassword-not-working-in-a-deployed-forwarder-app/m-p/254767#M48941 stepheneardley 2016-07-13T14:11:16Z https://community.splunk.com/t5/Getting-Data-In/sslKeysfilePassword-not-working-in-a-deployed-forwarder-app/m-p/254768#M48942 <P>You are indeed doing it wrong <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>The forwarder SSL doesn't use the server.conf file - it uses inputs.conf &amp; outputs.conf.</P> <P>First go and read dwaddles SSL guides:<BR /> <A href="http://www.duanewaddle.com/splunk-conf-2014/">http://www.duanewaddle.com/splunk-conf-2014/</A></P> <P>The relevant splunk documentation is here:</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.4.2/Security/ConfigureSplunkforwardingtousesignedcertificates">http://docs.splunk.com/Documentation/Splunk/6.4.2/Security/ConfigureSplunkforwardingtousesignedcertificates</A></P> Wed, 13 Jul 2016 15:53:55 GMT https://community.splunk.com/t5/Getting-Data-In/sslKeysfilePassword-not-working-in-a-deployed-forwarder-app/m-p/254768#M48942 jplumsdaine22 2016-07-13T15:53:55Z https://community.splunk.com/t5/Getting-Data-In/sslKeysfilePassword-not-working-in-a-deployed-forwarder-app/m-p/254769#M48943 <P>I'm not saying you're wrong but if you are correct then why does SSL forwarding work when I move the sslKeysfilePassword parameter to etc/system/local/server.conf? I can confirm that it also uses the cert we've pushed down with the app along with the cert location in server.conf within the app context.</P> Fri, 15 Jul 2016 13:48:49 GMT https://community.splunk.com/t5/Getting-Data-In/sslKeysfilePassword-not-working-in-a-deployed-forwarder-app/m-p/254769#M48943 stepheneardley 2016-07-15T13:48:49Z https://community.splunk.com/t5/Getting-Data-In/sslKeysfilePassword-not-working-in-a-deployed-forwarder-app/m-p/254770#M48944 <P>Odd - I don't actually use the SSL forwarding myself, so I couldn't tell you for sure. My guess would be that when you put the parameter in system/local it gets ignored</P> <P>On your indexer run <CODE>./bin/splunk cmd btool inputs list</CODE></P> <P>If you're using ssl you should have an input stanza like <CODE>[splunktcp-ssl:9997]</CODE>. If its <CODE>[splunktcp://9997]</CODE> then you're not actually using SSL</P> <P>The server.conf controls the ssl settings for the splunkd port, 8089 </P> Fri, 15 Jul 2016 16:07:44 GMT https://community.splunk.com/t5/Getting-Data-In/sslKeysfilePassword-not-working-in-a-deployed-forwarder-app/m-p/254770#M48944 jplumsdaine22 2016-07-15T16:07:44Z