Security

SSL Certs and verification

edwardrose
Contributor

Hello All

I have the following configuration that I would like to see work if possible. A server in the DMZ setup as an intermediary to capture logs from devices in AWS being transported over the internet. Could one possibly have the following setup:

AWS universal forwarder 3rd party cert
server.conf:

[sslConfig]
sslRootCAPath = $SPLUNK_HOME/etc/auth/3rdpartycert/cacert.pem

outputs.conf

[tcpout]

[tcpout:dmz_fwd]
server = dmz-fwder.example.org:9997
disable = 0
clientCert = $SPLUNK_HOME/etc/auth/3rdpartycert/client.pem
useClientSSLCompression = true
sslPassword = <blah>
sslCommonNameToCheck = dmz-fwder.example.org
sslVerifyServerCert = true 

DMZ Host 3rd party Cert and Splunk Cert
inputs.conf:

[splunktcp-ssl:9997]
disabled = 0

[SSL]
serverCert = $SPLUNK_HOME/etc/auth/3rdpartycert/server.pem
sslPassword = password
requireClientCert = True

server.conf

[sslConfig]
sslRootCAPath = /opt/splunk/etc/auth/3rdpartycert/cacert.pem

Then the DMZ host would use the default certs and default SSL configuration to send the data into a secure network on our intranet. I am not sure it will work as due to the fact the server.conf on the DMZ host will have a conflict between the 3rd party cert and the Splunk out of the box cert.

server.conf required for default certs

[sslConfig]
sslRootCAPath = /opt/splunk/etc/auth/cacert.pem

Thoughts?

Thanks in advance

0 Karma

vishaltaneja070
Motivator

@edwardrose,

I dont think it will be problem. If you are sending data outside Splunk then the configuration will be there in outputs.conf and we are not specifying any ssl use there.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.