Hello Splunkers, I would like to understand why a cert is need for the UF, when indexer already has requireClientCert disabled. Thanks in advance.
On indexer, we have the following inputs.conf stanza configured:
[splunktcp-ssl:9997]
[SSL]
serverCert = $SPLUNK_HOME/etc/auth/mycerts/myServerCert.pem
sslPassword = mySecret
requireClientCert = false
On the UF, we have the following outputs.conf stanza configured:
[indexer_discovery:cm1]
master_uri = https://cm1:8089
pass4SymmKey = mySecretSymmKey
[tcpout]
defaultGroup = ssl-test
[tcpout:ssl-test]
indexerDiscovery = master-es
useACK = true
useClientSSLCompression = false
The UF failed to connect to the indexer with the following errors seen in the UF's splunkd.log:
02-11-2023 02:57:57.421 +0000 ERROR TcpOutputProc [1715593 TcpOutEloop] - target=x.x.x.x:9997 ssl=1 mismatch with ssl config in outputs.conf for server, skipping..
The issue is resolved once we have set the clientCert in forwarder's outputs.conf stanza:
[tcpout:ssl-test]
indexerDiscovery = master-es
useACK = true
useClientSSLCompression = false
clientCert = $SPLUNK_HOME/etc/auth/mycerts/MyClientCert.pem
From our test so far, this requirement seems to be specific to splunktcp-ssl. Inter-splunk communications between UF and deployment server or cluster manager (for indexer discovery) do not seem to require the client cert.
Looks like setting "useSSL = true" in outputs.conf did the trick:
## outputs.conf.spec
useSSL = <true|false|legacy> * Whether or not the forwarder uses SSL to connect to the receiver, or relies on the 'clientCert' setting to be active for SSL connections. * You do not need to set 'clientCert' if 'requireClientCert' is set to "false" on the receiver. * A value of "true" means the forwarder uses SSL to connect to the receiver. * A value of "false" means the forwarder does not use SSL to connect to the receiver. * The special value "legacy" means the forwarder uses the 'clientCert' property to determine whether or not to use SSL to connect. * Default: legacy