Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Securing communcation between Universal Forwarder and Heavy Forwarder

rwcbp
Explorer
‎07-01-2015 07:37 AM

Splunk Docs do not specifically state that default encryption is active between Universal Forwarders and Heavy Forwarders, is it?

Also, if a self-signed or third party cert is used for this environment, is the Universal Forwarder the "client" of the Heavy Forwarder in this example?

Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎07-01-2015 07:47 AM

By default, no, there is no crypto between forwarders and indexers or forwarders and intermediate forwarders.

If you choose to do encryption, the certificate situation is up to you. However, I would STRONGLY suggest use of either a private CA or 3rd party certs. Don't use the default self-signed stuff. George Starcher and I did a .conf talk on this subject at .conf 2014, should be able to find it in the talk archives.

In the case of UF -> HF -> Indexer, the UF is an "SSL Client", the HF Is both an SSL "server" (toward the UF) and an SSL "client" (toward the indexer), and the indexer is an SSL "server"

View solution in original post

Reply
Solved! Jump to solution

karthikeyan_k14
New Member
‎06-07-2017 09:07 PM

In the case of UF -> HF -> Indexer, the UF is an "SSL Client", the HF Is both an SSL "server" (toward the UF) and an SSL "client" (toward the indexer), and the indexer is an SSL "server"...

we are also deploying the same setup, but HF is in cluster mode for LB with fail over setup.
can anyone help the SSL certificate configuration of all (UF,HF and IDX) input.conf and output,conf. We are deployed 3rd party pki certificate. using Common name fro all Forwarders,IDX and DS

I need below answers for below queries
1. Have to initiate separate certificate for all forwarders with rootpath ? or same has to use in ssl client and server
2. please share sample configuration

0 Karma
Reply
Solved! Jump to solution

rwcbp
Explorer
‎07-01-2015 07:50 AM

Thanks for the quick response. I will search for the .conf 2014 discussion, as well.

0 Karma
Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎07-01-2015 07:47 AM

By default, no, there is no crypto between forwarders and indexers or forwarders and intermediate forwarders.

If you choose to do encryption, the certificate situation is up to you. However, I would STRONGLY suggest use of either a private CA or 3rd party certs. Don't use the default self-signed stuff. George Starcher and I did a .conf talk on this subject at .conf 2014, should be able to find it in the talk archives.

In the case of UF -> HF -> Indexer, the UF is an "SSL Client", the HF Is both an SSL "server" (toward the UF) and an SSL "client" (toward the indexer), and the indexer is an SSL "server"

Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎07-01-2015 07:55 AM

Just remembered, I posted a copy of the slides post .conf with some followup comments based on audience questions at http://duanewaddle.com/splunk-conf-2014/

0 Karma
Reply
Solved! Jump to solution

rwcbp
Explorer
‎07-01-2015 08:02 AM

Much appreciated. Certainly saves time.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...