https://community.splunk.com/t5/Getting-Data-In/On-a-Heavy-forwarder-that-forwards-events-to-a-3rd-party-device/m-p/403243#M71644 <P>Hi<BR /> I have an app on a HF that forwards events to a 3rd party device via unencrypted channel. I would like to encrypt the traffic using certificates which I received from a 3rd party (root.crt and sender.crt). </P> <P>This is the output.conf stanza I am trying to use which does not seem to work:</P> <PRE><CODE>[tcpout:3rdparty] server = &lt;IP&gt;:&lt;Port&gt; sslRootCAPath = $SPLUNK_HOME/etc/apps/3rdparty/local/root.crt sslCertPath = $SPLUNK_HOME/etc/apps/3rdparty/local/sender.crt requireClientCert = false sslVerifyServerCert = false sendCookedData = false </CODE></PRE> <P>"Error initializing SSL context - check splunkd.log regarding configuration error for server "</P> <P>What additional steps do I need to take to accomplish this? </P> Wed, 15 Aug 2018 16:09:43 GMT pete222 2018-08-15T16:09:43Z https://community.splunk.com/t5/Getting-Data-In/On-a-Heavy-forwarder-that-forwards-events-to-a-3rd-party-device/m-p/403243#M71644 <P>Hi<BR /> I have an app on a HF that forwards events to a 3rd party device via unencrypted channel. I would like to encrypt the traffic using certificates which I received from a 3rd party (root.crt and sender.crt). </P> <P>This is the output.conf stanza I am trying to use which does not seem to work:</P> <PRE><CODE>[tcpout:3rdparty] server = &lt;IP&gt;:&lt;Port&gt; sslRootCAPath = $SPLUNK_HOME/etc/apps/3rdparty/local/root.crt sslCertPath = $SPLUNK_HOME/etc/apps/3rdparty/local/sender.crt requireClientCert = false sslVerifyServerCert = false sendCookedData = false </CODE></PRE> <P>"Error initializing SSL context - check splunkd.log regarding configuration error for server "</P> <P>What additional steps do I need to take to accomplish this? </P> Wed, 15 Aug 2018 16:09:43 GMT https://community.splunk.com/t5/Getting-Data-In/On-a-Heavy-forwarder-that-forwards-events-to-a-3rd-party-device/m-p/403243#M71644 pete222 2018-08-15T16:09:43Z https://community.splunk.com/t5/Getting-Data-In/On-a-Heavy-forwarder-that-forwards-events-to-a-3rd-party-device/m-p/403244#M71645 <P>What does splunkd.log say about configuration errors? I think the <CODE>sslPassword</CODE> setting is missing. Also, you need to configure inputs.conf on your receiver. </P> <P>The configurations structure which worked for me is,</P> <P>outputs.conf (on forwarders):</P> <PRE><CODE>[tcpout] sslPassword = xxxxxxxxxxxxxxxxxxxxxx sslVersions = tls1.2 clientCert = $SPLUNK_HOME/etc/auth/myOrg/myOrgFWDcert.pem sslRootCAPath = $SPLUNK_HOME/etc/auth/myOrg/myOrgCACertificate.pem channelReapInterval = 60000 channelReapLowater = 10 channelTTL = 300000 dnsResolutionInterval = 300 negotiateNewProtocol = true socksResolveDNS = false useClientSSLCompression = true [tcpout:my_idx_cluster] server = idx1.com:9998, idx.com2:9998 useACK = true </CODE></PRE> <P>inputs.conf (On indexers):</P> <PRE><CODE>[SSL] serverCert = $SPLUNK_HOME/etc/auth/myOrg/myOrgServerCertificate.pem sslPassword = xxxxxxxxxxxxxxxxx sslVersions = tls1.2 [splunktcp-ssl:9998] </CODE></PRE> <P>Additionally, please refer to these links for more information,<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.1.2/Security/ConfigureSplunkforwardingtousesignedcertificates">https://docs.splunk.com/Documentation/Splunk/7.1.2/Security/ConfigureSplunkforwardingtousesignedcertificates</A><BR /> <A href="https://conf.splunk.com/session/2015/conf2015_DWaddle_DefensePointSecurity_deploying_SplunkSSLBestPractices.pdf">https://conf.splunk.com/session/2015/conf2015_DWaddle_DefensePointSecurity_deploying_SplunkSSLBestPractices.pdf</A></P> Wed, 15 Aug 2018 18:45:01 GMT https://community.splunk.com/t5/Getting-Data-In/On-a-Heavy-forwarder-that-forwards-events-to-a-3rd-party-device/m-p/403244#M71645 sudosplunk 2018-08-15T18:45:01Z