SSL encryption and authentication between Heavy Fo...

splunk_kk · ‎08-02-2016

Hello,

I have a doubt with respect to the below stanzas in Heavy forwarder and indexers. Will the below stanzas ensures SSL authentication only OR it will encrypt the communication as well? If it ensures encryption as well can you please put some light?

outputs.conf in Heavy Forwarder

[tcpout]
defaultGroup = splunkssl

[tcpout:splunkssl]
server = 1.1.1.1:9997
sslRootCAPath = $SPLUNK_HOME/etc/auth/mycerts/myCACertificate.pem
sslCertPath = $SPLUNK_HOME/etc/auth/mycerts/myForwarderCertificate.pem
sslPassword = $%^!@#%
sslVerifyServerCert = true

sslCommonNameToCheck = xyz.abc

inputs.conf in Indexer

[SSL]
rootCA = $SPLUNK_HOME/etc/auth/mycerts/myCACertificate.pem
serverCert = $SPLUNK_HOME/etc/auth/mycerts/myIndexerCertificate.pem
password = &#^#$%
requireClientCert = true

[splunktcp-ssl:9997]
compressed = true

Masa · ‎08-04-2016

Yes, data will be encrypted. If you check data packets by tcpdump or wireshark, you won't be able to see the data content.

Splunk s2s(splunk to splunk, forwarder to indexer) SSL setting always enable SSL encryption.
SSL Certificate Authentication is to validate CA authority and the Server's Common Name in the indexer's certificate by adding "sslVerifyServerCert" and "sslCommonNameToCheck"

A few links related to this topic
http://docs.splunk.com/Documentation/Splunk/Latest/Security/AboutsecuringyourSplunkconfigurationwith...
http://docs.splunk.com/Documentation/Splunk/6.4.2/Security/Aboutsecuringdatafromforwarders
http://docs.splunk.com/Documentation/Splunk/Latest/Admin/Outputsconf

SSL encryption and authentication between Heavy Forwarder and Indexer

sslCommonNameToCheck = xyz.abc

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

Explore the Latest Educational Offerings from Splunk (November Releases)

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...