Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to edit my configuration to add SSL on forward...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to edit my configuration to add SSL on forwarders with self signed certificates?
I am working on adding SSL on forwarders with self signed certificates.
Here is the /etc/system/local/outputs.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = xx.xx.x.xxx:9997
compressed = true
[tcpout-server://xx.xx.x.xxx:9997]
sslRootCAPath = C:\"Program Files"\SplunkUniversalForwarder\etc\certs\myCACertificate.pem
sslCertPath = C:\"Program Files"\SplunkUniversalForwarder\etc\certs\myNewServerCertificate.pem
sslPassword = <encrypted pass>
Here is the working /etc/system/local/outputs.conf before starting the SSL process.
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = xx.xx.x.xxx:9997
[tcpout-server://xx.xx.x.xxx:9997]
Also made the following changes to etc/system/local/server.conf
[sslConfig]
allowSslCompression = false
allowSslRenegotiation = false
sslKeysfilePassword = <encrypted pass>
sslVersions = tls1.1, tls1.2
sslVersionsForClient = tls1.1, tls1.2
caPath = C:\"Program Files"\SplunkUniversalForwarder\etc\certs
I enabled debug in the splunkd log and pulled out what I believe to be relevant lines.
DEBUG TcpOutputProc - Key file password requires decrypting
DEBUG TcpOutputProc - A value for 'sslVersions' is not present, defaulting to SSL3 and above
ERROR SSLCommon - Can't read certificate file C:\"Program Files"\SplunkUniversalForwarder\etc\certs\myNewServerCertificate.pem errno=33558651 error:0200107B:system library:fopen:Unknown error
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Alright, found the problem myself. Even if it's a Windows system, you are not allowed to escape the path (using " "). So in OP's case he would need to modify his path from:
C:\"Program Files"\SplunkUniversalForwarder\etc\certs
to:
C:\Program Files\SplunkUniversalForwarder\etc\certs
We had another problem after this but that was another point.
Skalli
P.S.: Just make sure if you use useClientSSLCompression in your outputs.conf, it also must be specified in your inputs.conf (compression = true) on the receiving end or no connection will be possible. That was the following problem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, we got the same error message saying:
ERROR SSLCommon - Can't read certificate file "C:\Program Files\SplunkUniversalForwarder\etc\auth\complete_server_client_cert.pem" errno=33558651 error:0200107B:system library:fopen:Unknown error
What is the correct way to determine the path to sslCertPath and sslRootCAPath? Can't find any solution in the web.
Our universal forwarder is trying to forward data to a heavy forwarder. Without ssl being enabled, this just works fine.
Anyone got an idea?
Skalli
[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events
Enter the Agentic Era with Splunk AI Assistant for SPL 1.4
Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...
