Getting Data In

Could someone help clarify Splunk documentation accuracy around forwarder SSL configuration?

shocko
Contributor

Using Splunk Enterprise 8.2.4 on Windows and trying to configure my forwarders to use SSL to forward events to my indexers. Client certificate verification is not enabled on the indexer. Reading the guide here it states some config aspects that don't seem to be true from testing:

sslPassword = <password>
* The password associated with the Certificate Authority certificate (CAcert).

Is this  not the password for the client cert (server.pem by default) rather than CACert? Also, is states:

useSSL = <true|false|legacy>
* Whether or not the forwarder uses SSL to connect to the receiver, or relies
  on the 'clientCert' setting to be active for SSL connections.
* You do not need to set 'clientCert' if 'requireClientCert' is set to
  "false" on the receiver.

This appears to indicate that you can use SSL without a client certificate (which would be great!). However, if I simply add  useSSL=true to my forwarder outputs.conf the SSL connection does not come up and the following is showing splunkd.log indicating it is looking for a client certificate file:

03-30-2022 23:39:47.933 +0100 ERROR SSLCommon [31888 parsing] - Can't read certificate file errno=33558528 error:02001000:system library:fopen:system library

My outputs.conf is as follows:

[tcpout:test-ssl-1]
disabled = 0
server = indexer1.mydomain.com:9998
useSSL = true
useClientSSLCompression = true
sslVerifyServerCert = false

This outputs.conf does work:

[tcpout:test-ssl-1]
disabled = 0
server = indexer1.mydomain.com:9998
useSSL = true
useClientSSLCompression = true
sslVerifyServerCert = false
sslCommonNameToCheck = indexer1
sslAltNameToCheck = indexer1.mydomain.com
sslRootCAPath = C:\Program Files\SplunkUniversalForwarder\etc\auth\MyPKIChain.pem

 I have no idea why the 2nd config works! sslVerifyServerCert  is false. 

 

Labels (1)
Tags (1)
0 Karma

psharkey
Explorer

I faced a similar situation. However, I only needed to include the sslRootCAPath directive. Neither of the NameToCheck directives were necessary.

I ended up deploying a PKIChain.pem file in a different App which also included a server.conf file with an [sslConfig] stanza like this:

[sslConfig]
sslRootCAPath = $SPLUNK_HOME/etc/apps/<App>/default/PKIChain.pem

splunky147
Splunk Employee
Splunk Employee

@psharkey Could you please clarify why we need `sslRootCAPath` here? The docs are not clear enough.

0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...