Hi
I have an app on a HF that forwards events to a 3rd party device via unencrypted channel. I would like to encrypt the traffic using certificates which I received from a 3rd party (root.crt and sender.crt).
This is the output.conf stanza I am trying to use which does not seem to work:
[tcpout:3rdparty]
server = <IP>:<Port>
sslRootCAPath = $SPLUNK_HOME/etc/apps/3rdparty/local/root.crt
sslCertPath = $SPLUNK_HOME/etc/apps/3rdparty/local/sender.crt
requireClientCert = false
sslVerifyServerCert = false
sendCookedData = false
"Error initializing SSL context - check splunkd.log regarding configuration error for server "
What additional steps do I need to take to accomplish this?
What does splunkd.log say about configuration errors? I think the sslPassword
setting is missing. Also, you need to configure inputs.conf on your receiver.
The configurations structure which worked for me is,
outputs.conf (on forwarders):
[tcpout]
sslPassword = xxxxxxxxxxxxxxxxxxxxxx
sslVersions = tls1.2
clientCert = $SPLUNK_HOME/etc/auth/myOrg/myOrgFWDcert.pem
sslRootCAPath = $SPLUNK_HOME/etc/auth/myOrg/myOrgCACertificate.pem
channelReapInterval = 60000
channelReapLowater = 10
channelTTL = 300000
dnsResolutionInterval = 300
negotiateNewProtocol = true
socksResolveDNS = false
useClientSSLCompression = true
[tcpout:my_idx_cluster]
server = idx1.com:9998, idx.com2:9998
useACK = true
inputs.conf (On indexers):
[SSL]
serverCert = $SPLUNK_HOME/etc/auth/myOrg/myOrgServerCertificate.pem
sslPassword = xxxxxxxxxxxxxxxxx
sslVersions = tls1.2
[splunktcp-ssl:9998]
Additionally, please refer to these links for more information,
https://docs.splunk.com/Documentation/Splunk/7.1.2/Security/ConfigureSplunkforwardingtousesignedcert...
https://conf.splunk.com/session/2015/conf2015_DWaddle_DefensePointSecurity_deploying_SplunkSSLBestPr...