Getting Data In

On a Heavy forwarder that forwards events to a 3rd party device, how can I encrypt the traffic using certificates?

pete222
New Member

Hi
I have an app on a HF that forwards events to a 3rd party device via unencrypted channel. I would like to encrypt the traffic using certificates which I received from a 3rd party (root.crt and sender.crt).

This is the output.conf stanza I am trying to use which does not seem to work:

[tcpout:3rdparty]
    server = <IP>:<Port>
    sslRootCAPath = $SPLUNK_HOME/etc/apps/3rdparty/local/root.crt
    sslCertPath = $SPLUNK_HOME/etc/apps/3rdparty/local/sender.crt
    requireClientCert = false
    sslVerifyServerCert = false
    sendCookedData = false

"Error initializing SSL context - check splunkd.log regarding configuration error for server "

What additional steps do I need to take to accomplish this?

0 Karma

sudosplunk
Motivator

What does splunkd.log say about configuration errors? I think the sslPassword setting is missing. Also, you need to configure inputs.conf on your receiver.

The configurations structure which worked for me is,

outputs.conf (on forwarders):

[tcpout]
sslPassword = xxxxxxxxxxxxxxxxxxxxxx
sslVersions = tls1.2
clientCert = $SPLUNK_HOME/etc/auth/myOrg/myOrgFWDcert.pem
sslRootCAPath = $SPLUNK_HOME/etc/auth/myOrg/myOrgCACertificate.pem
channelReapInterval = 60000
channelReapLowater = 10
channelTTL = 300000
dnsResolutionInterval = 300
negotiateNewProtocol = true
socksResolveDNS = false
useClientSSLCompression = true
[tcpout:my_idx_cluster]
server = idx1.com:9998, idx.com2:9998
useACK = true   

inputs.conf (On indexers):

[SSL]
serverCert = $SPLUNK_HOME/etc/auth/myOrg/myOrgServerCertificate.pem
sslPassword = xxxxxxxxxxxxxxxxx
sslVersions = tls1.2

[splunktcp-ssl:9998]

Additionally, please refer to these links for more information,
https://docs.splunk.com/Documentation/Splunk/7.1.2/Security/ConfigureSplunkforwardingtousesignedcert...
https://conf.splunk.com/session/2015/conf2015_DWaddle_DefensePointSecurity_deploying_SplunkSSLBestPr...

0 Karma
Get Updates on the Splunk Community!

Explore the Latest Educational Offerings from Splunk [January 2025 Updates]

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...