Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why does UF still require clientCert when requireClientCert is already disable in indexer?

splunker686
Explorer
‎02-13-2023 09:08 AM

Hello Splunkers, I would like to understand why a cert is need for the UF, when indexer already has requireClientCert disabled.  Thanks in advance.

On indexer, we have the following inputs.conf stanza configured:

[splunktcp-ssl:9997]
[SSL]
serverCert = $SPLUNK_HOME/etc/auth/mycerts/myServerCert.pem
sslPassword = mySecret
requireClientCert = false

 

On the UF, we have the following outputs.conf stanza configured:

[indexer_discovery:cm1]
master_uri = https://cm1:8089
pass4SymmKey = mySecretSymmKey

[tcpout]
defaultGroup = ssl-test

[tcpout:ssl-test]
indexerDiscovery = master-es
useACK = true
useClientSSLCompression = false

The UF failed to connect to the indexer with the following errors seen in the UF's splunkd.log:

02-11-2023 02:57:57.421 +0000 ERROR TcpOutputProc [1715593 TcpOutEloop] - target=x.x.x.x:9997 ssl=1 mismatch with ssl config in outputs.conf for server, skipping..

The issue is resolved once we have set the clientCert in forwarder's outputs.conf stanza:

[tcpout:ssl-test]
indexerDiscovery = master-es
useACK = true
useClientSSLCompression = false
clientCert = $SPLUNK_HOME/etc/auth/mycerts/MyClientCert.pem

 

From our test so far, this requirement seems to be specific to splunktcp-ssl.  Inter-splunk communications between UF and deployment server or cluster manager (for indexer discovery) do not seem to require the client cert.

 

 

 

Labels (1)
Labels
Tags (2)
Reply

splunker686
Explorer
‎02-13-2023 09:42 AM

Looks like setting "useSSL = true" in outputs.conf did the trick:

## outputs.conf.spec
useSSL = <true|false|legacy>
* Whether or not the forwarder uses SSL to connect to the receiver, or relies
  on the 'clientCert' setting to be active for SSL connections.
* You do not need to set 'clientCert' if 'requireClientCert' is set to
  "false" on the receiver.
* A value of "true" means the forwarder uses SSL to connect to the receiver.
* A value of "false" means the forwarder does not use SSL to connect to the
  receiver.
* The special value "legacy" means the forwarder uses the 'clientCert' property to
  determine whether or not to use SSL to connect.
* Default: legacy

 

Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...