Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why does UF still require clientCert when requireClientCert is already disable in indexer?

splunker686
Explorer
‎02-13-2023 09:08 AM

Hello Splunkers, I would like to understand why a cert is need for the UF, when indexer already has requireClientCert disabled.  Thanks in advance.

On indexer, we have the following inputs.conf stanza configured:

[splunktcp-ssl:9997]
[SSL]
serverCert = $SPLUNK_HOME/etc/auth/mycerts/myServerCert.pem
sslPassword = mySecret
requireClientCert = false

 

On the UF, we have the following outputs.conf stanza configured:

[indexer_discovery:cm1]
master_uri = https://cm1:8089
pass4SymmKey = mySecretSymmKey

[tcpout]
defaultGroup = ssl-test

[tcpout:ssl-test]
indexerDiscovery = master-es
useACK = true
useClientSSLCompression = false

The UF failed to connect to the indexer with the following errors seen in the UF's splunkd.log:

02-11-2023 02:57:57.421 +0000 ERROR TcpOutputProc [1715593 TcpOutEloop] - target=x.x.x.x:9997 ssl=1 mismatch with ssl config in outputs.conf for server, skipping..

The issue is resolved once we have set the clientCert in forwarder's outputs.conf stanza:

[tcpout:ssl-test]
indexerDiscovery = master-es
useACK = true
useClientSSLCompression = false
clientCert = $SPLUNK_HOME/etc/auth/mycerts/MyClientCert.pem

 

From our test so far, this requirement seems to be specific to splunktcp-ssl.  Inter-splunk communications between UF and deployment server or cluster manager (for indexer discovery) do not seem to require the client cert.

 

 

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply

splunker686
Explorer
‎02-13-2023 09:42 AM

Looks like setting "useSSL = true" in outputs.conf did the trick:

## outputs.conf.spec
useSSL = <true|false|legacy>
* Whether or not the forwarder uses SSL to connect to the receiver, or relies
  on the 'clientCert' setting to be active for SSL connections.
* You do not need to set 'clientCert' if 'requireClientCert' is set to
  "false" on the receiver.
* A value of "true" means the forwarder uses SSL to connect to the receiver.
* A value of "false" means the forwarder does not use SSL to connect to the
  receiver.
* The special value "legacy" means the forwarder uses the 'clientCert' property to
  determine whether or not to use SSL to connect.
* Default: legacy

 

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...