Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

TLS certificate host name validation on Universal Forwarder

lukasmecir
Path Finder
‎01-25-2024 08:59 AM

Hello,

I have Splunk distributed deployment (cca 20 servers + cca 100 UFs). On servers, I configured SSL encryption of management traffic and TLS certificate host name validation:

server.conf

 

[sslConfig]
enableSplunkdSSL = true
serverCert = <path_to_the_server_certificate>
sslVerifyServerCert = true
sslVerifyServerName = true
sslRootCAPath = <path_to_the_CA_certificate>

 

Everything is working well - servers communicate each other.

But my question is: I use Deployment server for pushing config to UFs and I am little bit surprised that management traffic between UFs and Deployment server is still flowing (I see all UFs phoning home, I can push config) even I did not configure encryption nor hostname validation on any UF. Is it OK? Does it mean that hostname validation for management traffic cannot be configured on UF? Or there is a way how to config hostname validation on UFs?

I found only how to configure hostname validation on UF in outputs.conf for sending collected data to Indexer, but nothing about management traffic.

Thank you for any hint.

Best regards

Lukas Mecir

Labels (1)
Labels
0 Karma
Reply

datadevops
Path Finder
‎01-28-2024 02:19 AM

Hi there,

  • UFs Don't Initiate SSL: UFs don't initiate SSL connections for management traffic, so they don't directly handle hostname validation.
  • DS Handles It: The Deployment Server takes care of SSL and hostname validation when communicating with UFs.
  • Good for Server-to-Server: Your server-to-server SSL and hostname validation setup is solid for securing those connections.

Additional Tips:

  • Secure UF Data: If you're concerned about securing data sent from UFs to indexers, configure SSL and hostname validation in outputs.conf on UFs.
  • Consult Docs: Always refer to Splunk documentation for the most up-to-date guidance on specific configuration options: <invalid link removed>

~ If the reply helps, a Karma upvote would be appreciated

0 Karma
Reply

LDurraniFred
New Member
‎03-01-2024 08:28 AM

Are you sure that DS initiates connection. If you disable 8089 port on UF still UF is able to phone home to DS and receive app. How can DS initiate connection if UF does not even have a listening port.
It seems communication is initiated from UF to DS.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...