Solved: Configuring SSL on universal forwarder

gekoner · ‎05-20-2011

I am attempting to upgrade an existing LFC on a Windows server and use a SSL certificate for encryption and authentication of this machine.
I am attempting to use a certificate issued by our own certificate authority (CA).
I have followed the instructions as outlined in; http://www.splunk.com/base/Documentation/latest/Deploy/DeployaWindowsdfmanually and read http://www.splunk.com/base/Documentation/latest/Admin/UseSSLtoencryptandauthenticatedatafromforwarde...

I did this through the installation wizard (GUI), just to see what it requests.
I specify a computer certificate, the password and a Root CA certificate to verify the identity of the certificate in .cer format.
No matter what I do I get a SSLCommon error either that “can’t read CA list” or “Error initializing SSL context - invalid sslCertPath for server”
My question is; what format do I need to have these files in? Do I need to convert these to .pem files?
I converted the files .pem using openssl but I still get the same error.
Is the privkey supposed to be the CA certificate and associated chain, or the computer certificate private key?

Sample output.conf

sslCertPath = C:\Program Files\SplunkUniversalForwarder\etc\system\local\certs\cert.pem   
sslPassword = $2$Pa$$W0rdHERE=   
sslRootCAPath =C:\Program Files\SplunkUniversalForwarder\etc\system\local\certs\privkey.pem

hexx · ‎05-20-2011

The following configuration procedure has been written precisely to address this case :

http://www.splunk.com/wiki/Community:Splunk2Splunk_SSL_3rdPartyCA

If you are unable to configure SSL for your splunk2splunk communication with these instructions, please attempt to follow the troubleshooting steps on that page (section #5) and paste here what you can from the btool output for inputs/outputs.conf and the pertinent (TcpInputProc/TcpOutputProc) splunkd.log lines.

View solution in original post

jeandez · ‎01-29-2014

hello, i have been learning splunk by elearning. I am confuse about inputs.conf and outputs.conf file.
I want to know if outputs.conf must be configured only on the forwarder ? and also inputs.conf must be configured only on the indexer ??? coud the two files be configured on the forwarder or on the indexer ?
IN which cases must i configure outputs.conf ??

Thank you !!

gekoner · ‎07-14-2016

I downvoted this post because this has nothing to do with the original post.

mcs24 · ‎07-14-2016

I downvoted this post because this is a new question, not a comment.

hexx · ‎05-20-2011

The following configuration procedure has been written precisely to address this case :

http://www.splunk.com/wiki/Community:Splunk2Splunk_SSL_3rdPartyCA

If you are unable to configure SSL for your splunk2splunk communication with these instructions, please attempt to follow the troubleshooting steps on that page (section #5) and paste here what you can from the btool output for inputs/outputs.conf and the pertinent (TcpInputProc/TcpOutputProc) splunkd.log lines.

gekoner · ‎05-27-2011

Thanks hexx, I hadn't read those instructions yet.

araitz · ‎05-20-2011

Please include the full stanzas from outputs.conf as well as the full error.

Configuring SSL on universal forwarder

Sample output.conf

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!