Security

Configuring SSL on universal forwarder

gekoner
Communicator

I am attempting to upgrade an existing LFC on a Windows server and use a SSL certificate for encryption and authentication of this machine.
I am attempting to use a certificate issued by our own certificate authority (CA).
I have followed the instructions as outlined in; http://www.splunk.com/base/Documentation/latest/Deploy/DeployaWindowsdfmanually and read http://www.splunk.com/base/Documentation/latest/Admin/UseSSLtoencryptandauthenticatedatafromforwarde...

I did this through the installation wizard (GUI), just to see what it requests.
I specify a computer certificate, the password and a Root CA certificate to verify the identity of the certificate in .cer format.
No matter what I do I get a SSLCommon error either that “can’t read CA list” or “Error initializing SSL context - invalid sslCertPath for server”
My question is; what format do I need to have these files in? Do I need to convert these to .pem files?
I converted the files .pem using openssl but I still get the same error.
Is the privkey supposed to be the CA certificate and associated chain, or the computer certificate private key?

Sample output.conf

sslCertPath = C:\Program Files\SplunkUniversalForwarder\etc\system\local\certs\cert.pem   
sslPassword = $2$Pa$$W0rdHERE=   
sslRootCAPath =C:\Program Files\SplunkUniversalForwarder\etc\system\local\certs\privkey.pem
1 Solution

hexx
Splunk Employee
Splunk Employee

The following configuration procedure has been written precisely to address this case :

http://www.splunk.com/wiki/Community:Splunk2Splunk_SSL_3rdPartyCA

If you are unable to configure SSL for your splunk2splunk communication with these instructions, please attempt to follow the troubleshooting steps on that page (section #5) and paste here what you can from the btool output for inputs/outputs.conf and the pertinent (TcpInputProc/TcpOutputProc) splunkd.log lines.

View solution in original post

jeandez
Explorer

hello, i have been learning splunk by elearning. I am confuse about inputs.conf and outputs.conf file.
I want to know if outputs.conf must be configured only on the forwarder ? and also inputs.conf must be configured only on the indexer ??? coud the two files be configured on the forwarder or on the indexer ?
IN which cases must i configure outputs.conf ??

Thank you !!

0 Karma

gekoner
Communicator

I downvoted this post because this has nothing to do with the original post.

0 Karma

mcs24
Explorer

I downvoted this post because this is a new question, not a comment.

0 Karma

hexx
Splunk Employee
Splunk Employee

The following configuration procedure has been written precisely to address this case :

http://www.splunk.com/wiki/Community:Splunk2Splunk_SSL_3rdPartyCA

If you are unable to configure SSL for your splunk2splunk communication with these instructions, please attempt to follow the troubleshooting steps on that page (section #5) and paste here what you can from the btool output for inputs/outputs.conf and the pertinent (TcpInputProc/TcpOutputProc) splunkd.log lines.

gekoner
Communicator

Thanks hexx, I hadn't read those instructions yet.

0 Karma

araitz
Splunk Employee
Splunk Employee

Please include the full stanzas from outputs.conf as well as the full error.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...