Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

About configuration in forwarding by using SSL.

yutaka1005
Builder
‎06-27-2019 01:26 AM

I want to ask some point.

  1. When using the default certificate, sslVerifyServerCert in outputs.conf is false, and requireClientCert in inputs.conf is true by default. In this case, there is no proof on the server side, but it seems that only the client side is proofing. Is such a setting recommended?

https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Inputsconf
https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Outputsconf

  1. In step of following manual, it is configured requireClientCert is false in indexer side, also configured requireClientCert is false in forwarder side. In this case, I think that it doesn't have to configure clientCert AND serverCert, am I wrong?.

https://docs.splunk.com/Documentation/Splunk/7.3.0/Security/ConfigureSplunkforwardingtousethedefault...

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DavidHourani
Super Champion
‎06-27-2019 01:52 AM

Hi @yutaka1005,

1- It depends on the security level you wish to have and the trust you put on each layer of your Splunk deployment. If you set the requireClientCert as you mentioned in your question then your forwarders must present a valid certificate to authenticate and send data to the indexers whereas indexers don't have to present anything to the forwarders since sslVerifyServerCert is unset in outputs.conf. With such a configuration you are saying "I trust my indexers to always be the right destination for data so I will not verify the destination where my data is going" and you're also saying "I don't trust my sources so I need to verify that they are legit sources". This guarantees that your sources are always legit and no one can inject noise to your indexers but doesn't guarantee that your forwarder will only send to your indexers. You will need to set both setting if you wish to have both indexers and forwarders verify that they recognize each others. Again it all depends on your security policy.

2- You're right, IfrequireClientCertis set to false you can keep the default certs so no need to configure clientCert or serverCert.
PS: requireClientCert defaults to true when default certificates are used.

Let me know if you need further details.

Cheers,
David

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DavidHourani
Super Champion
‎06-27-2019 01:52 AM

Hi @yutaka1005,

1- It depends on the security level you wish to have and the trust you put on each layer of your Splunk deployment. If you set the requireClientCert as you mentioned in your question then your forwarders must present a valid certificate to authenticate and send data to the indexers whereas indexers don't have to present anything to the forwarders since sslVerifyServerCert is unset in outputs.conf. With such a configuration you are saying "I trust my indexers to always be the right destination for data so I will not verify the destination where my data is going" and you're also saying "I don't trust my sources so I need to verify that they are legit sources". This guarantees that your sources are always legit and no one can inject noise to your indexers but doesn't guarantee that your forwarder will only send to your indexers. You will need to set both setting if you wish to have both indexers and forwarders verify that they recognize each others. Again it all depends on your security policy.

2- You're right, IfrequireClientCertis set to false you can keep the default certs so no need to configure clientCert or serverCert.
PS: requireClientCert defaults to true when default certificates are used.

Let me know if you need further details.

Cheers,
David

0 Karma
Reply
Solved! Jump to solution

yutaka1005
Builder
‎06-27-2019 02:08 AM

Thank you for answer.

1- Normally, such a environment like web server and client, I think that server side has server cert, and optionally, client have to send client cert to server.
I just wondered that why default value of these attributes is so.
I understand that it is not a recommendation, but it depends on the security level I want! Thank you!

2- OK, I got it!

-PS: requireClientCert defaults to false.
In inputs.conf, there is below description, so I think default is true, if I use default certification.

requireClientCert = <boolean>
* Determines whether a client must present an SSL certificate to authenticate.
* Full path to the root CA (Certificate Authority) certificate store.
* Default: false (if using self-signed and third-party certificates)
* Default: true (if using the default certificates, overrides the 
existing "false" setting)
Reply
Solved! Jump to solution

DavidHourani
Super Champion
‎06-27-2019 02:13 AM

Most welcome @yutaka1005 !

And yes you're right defaults to true if using default certificates, I'll update the answer 🙂

0 Karma
Reply
Solved! Jump to solution

splunkreal
Motivator
‎01-30-2021 01:50 AM

Hello, isn't Splunk default certificate considered as selfsigned? Thanks.

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...