Getting Data In

About configuration in forwarding by using SSL.

yutaka1005
Builder

I want to ask some point.

  1. When using the default certificate, sslVerifyServerCert in outputs.conf is false, and requireClientCert in inputs.conf is true by default. In this case, there is no proof on the server side, but it seems that only the client side is proofing. Is such a setting recommended?

https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Inputsconf
https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Outputsconf

  1. In step of following manual, it is configured requireClientCert is false in indexer side, also configured requireClientCert is false in forwarder side. In this case, I think that it doesn't have to configure clientCert AND serverCert, am I wrong?.

https://docs.splunk.com/Documentation/Splunk/7.3.0/Security/ConfigureSplunkforwardingtousethedefault...

0 Karma
1 Solution

DavidHourani
Super Champion

Hi @yutaka1005,

1- It depends on the security level you wish to have and the trust you put on each layer of your Splunk deployment. If you set the requireClientCert as you mentioned in your question then your forwarders must present a valid certificate to authenticate and send data to the indexers whereas indexers don't have to present anything to the forwarders since sslVerifyServerCert is unset in outputs.conf. With such a configuration you are saying "I trust my indexers to always be the right destination for data so I will not verify the destination where my data is going" and you're also saying "I don't trust my sources so I need to verify that they are legit sources". This guarantees that your sources are always legit and no one can inject noise to your indexers but doesn't guarantee that your forwarder will only send to your indexers. You will need to set both setting if you wish to have both indexers and forwarders verify that they recognize each others. Again it all depends on your security policy.

2- You're right, IfrequireClientCertis set to false you can keep the default certs so no need to configure clientCert or serverCert.
PS: requireClientCert defaults to true when default certificates are used.

Let me know if you need further details.

Cheers,
David

View solution in original post

0 Karma

DavidHourani
Super Champion

Hi @yutaka1005,

1- It depends on the security level you wish to have and the trust you put on each layer of your Splunk deployment. If you set the requireClientCert as you mentioned in your question then your forwarders must present a valid certificate to authenticate and send data to the indexers whereas indexers don't have to present anything to the forwarders since sslVerifyServerCert is unset in outputs.conf. With such a configuration you are saying "I trust my indexers to always be the right destination for data so I will not verify the destination where my data is going" and you're also saying "I don't trust my sources so I need to verify that they are legit sources". This guarantees that your sources are always legit and no one can inject noise to your indexers but doesn't guarantee that your forwarder will only send to your indexers. You will need to set both setting if you wish to have both indexers and forwarders verify that they recognize each others. Again it all depends on your security policy.

2- You're right, IfrequireClientCertis set to false you can keep the default certs so no need to configure clientCert or serverCert.
PS: requireClientCert defaults to true when default certificates are used.

Let me know if you need further details.

Cheers,
David

0 Karma

yutaka1005
Builder

Thank you for answer.

1- Normally, such a environment like web server and client, I think that server side has server cert, and optionally, client have to send client cert to server.
I just wondered that why default value of these attributes is so.
I understand that it is not a recommendation, but it depends on the security level I want! Thank you!

2- OK, I got it!

-PS: requireClientCert defaults to false.
In inputs.conf, there is below description, so I think default is true, if I use default certification.

requireClientCert = <boolean>
* Determines whether a client must present an SSL certificate to authenticate.
* Full path to the root CA (Certificate Authority) certificate store.
* Default: false (if using self-signed and third-party certificates)
* Default: true (if using the default certificates, overrides the 
existing "false" setting)

DavidHourani
Super Champion

Most welcome @yutaka1005 !

And yes you're right defaults to true if using default certificates, I'll update the answer 🙂

0 Karma

splunkreal
Motivator

Hello, isn't Splunk default certificate considered as selfsigned? Thanks.

* If this helps, please upvote or accept solution if it solved *
0 Karma
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...