Getting Data In

Why does UF still require clientCert when requireClientCert is already disable in indexer?

splunker686
Explorer

Hello Splunkers, I would like to understand why a cert is need for the UF, when indexer already has requireClientCert disabled.  Thanks in advance.

On indexer, we have the following inputs.conf stanza configured:

[splunktcp-ssl:9997]
[SSL]
serverCert = $SPLUNK_HOME/etc/auth/mycerts/myServerCert.pem
sslPassword = mySecret
requireClientCert = false

 

On the UF, we have the following outputs.conf stanza configured:

[indexer_discovery:cm1]
master_uri = https://cm1:8089
pass4SymmKey = mySecretSymmKey

[tcpout]
defaultGroup = ssl-test

[tcpout:ssl-test]
indexerDiscovery = master-es
useACK = true
useClientSSLCompression = false

The UF failed to connect to the indexer with the following errors seen in the UF's splunkd.log:

02-11-2023 02:57:57.421 +0000 ERROR TcpOutputProc [1715593 TcpOutEloop] - target=x.x.x.x:9997 ssl=1 mismatch with ssl config in outputs.conf for server, skipping..

The issue is resolved once we have set the clientCert in forwarder's outputs.conf stanza:

[tcpout:ssl-test]
indexerDiscovery = master-es
useACK = true
useClientSSLCompression = false
clientCert = $SPLUNK_HOME/etc/auth/mycerts/MyClientCert.pem

 

From our test so far, this requirement seems to be specific to splunktcp-ssl.  Inter-splunk communications between UF and deployment server or cluster manager (for indexer discovery) do not seem to require the client cert.

 

 

 

Labels (1)
Tags (2)

splunker686
Explorer

Looks like setting "useSSL = true" in outputs.conf did the trick:

## outputs.conf.spec
useSSL = <true|false|legacy> * Whether or not the forwarder uses SSL to connect to the receiver, or relies on the 'clientCert' setting to be active for SSL connections. * You do not need to set 'clientCert' if 'requireClientCert' is set to "false" on the receiver. * A value of "true" means the forwarder uses SSL to connect to the receiver. * A value of "false" means the forwarder does not use SSL to connect to the receiver. * The special value "legacy" means the forwarder uses the 'clientCert' property to determine whether or not to use SSL to connect. * Default: legacy

 

Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Laser Bananas and Edge Hubs: Exploring Operational Technology (OT) Data Through a ...

  OT is a different environment to traditional IT and can have interesting challenges when interfacing the ...

Event Series: Mastering AI Tokenomics and Splunk Agent Observability

Beyond the Black Box: Correlating AI Performance and Tokenomics with Splunk Agent Observability   As ...

span_metrics: The OpenTelemetry-Idiomatic Way to See Inside Your Services

You open a trace in Splunk Observability Cloud and everything looks fine. One root span, order-pipeline, with ...