Getting Data In

SSL encryption and authentication between Heavy Forwarder and Indexer

splunk_kk
Path Finder

Hello,

I have a doubt with respect to the below stanzas in Heavy forwarder and indexers. Will the below stanzas ensures SSL authentication only OR it will encrypt the communication as well? If it ensures encryption as well can you please put some light?

outputs.conf in Heavy Forwarder

[tcpout]
defaultGroup = splunkssl

[tcpout:splunkssl]
server = 1.1.1.1:9997
sslRootCAPath = $SPLUNK_HOME/etc/auth/mycerts/myCACertificate.pem
sslCertPath = $SPLUNK_HOME/etc/auth/mycerts/myForwarderCertificate.pem
sslPassword = $%^!@#%
sslVerifyServerCert = true

sslCommonNameToCheck = xyz.abc

inputs.conf in Indexer

[SSL]
rootCA = $SPLUNK_HOME/etc/auth/mycerts/myCACertificate.pem
serverCert = $SPLUNK_HOME/etc/auth/mycerts/myIndexerCertificate.pem
password = &#^#$%
requireClientCert = true

[splunktcp-ssl:9997]
compressed = true

0 Karma

Masa
Splunk Employee
Splunk Employee

Yes, data will be encrypted. If you check data packets by tcpdump or wireshark, you won't be able to see the data content.

Splunk s2s(splunk to splunk, forwarder to indexer) SSL setting always enable SSL encryption.
SSL Certificate Authentication is to validate CA authority and the Server's Common Name in the indexer's certificate by adding "sslVerifyServerCert" and "sslCommonNameToCheck"

A few links related to this topic
http://docs.splunk.com/Documentation/Splunk/Latest/Security/AboutsecuringyourSplunkconfigurationwith...
http://docs.splunk.com/Documentation/Splunk/6.4.2/Security/Aboutsecuringdatafromforwarders
http://docs.splunk.com/Documentation/Splunk/Latest/Admin/Outputsconf

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!