Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- Re: TLS certificate host name validation on Univer...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TLS certificate host name validation on Universal Forwarder
Hello,
I have Splunk distributed deployment (cca 20 servers + cca 100 UFs). On servers, I configured SSL encryption of management traffic and TLS certificate host name validation:
server.conf
[sslConfig]
enableSplunkdSSL = true
serverCert = <path_to_the_server_certificate>
sslVerifyServerCert = true
sslVerifyServerName = true
sslRootCAPath = <path_to_the_CA_certificate>
Everything is working well - servers communicate each other.
But my question is: I use Deployment server for pushing config to UFs and I am little bit surprised that management traffic between UFs and Deployment server is still flowing (I see all UFs phoning home, I can push config) even I did not configure encryption nor hostname validation on any UF. Is it OK? Does it mean that hostname validation for management traffic cannot be configured on UF? Or there is a way how to config hostname validation on UFs?
I found only how to configure hostname validation on UF in outputs.conf for sending collected data to Indexer, but nothing about management traffic.
Thank you for any hint.
Best regards
Lukas Mecir
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there,
- UFs Don't Initiate SSL: UFs don't initiate SSL connections for management traffic, so they don't directly handle hostname validation.
- DS Handles It: The Deployment Server takes care of SSL and hostname validation when communicating with UFs.
- Good for Server-to-Server: Your server-to-server SSL and hostname validation setup is solid for securing those connections.
Additional Tips:
- Secure UF Data: If you're concerned about securing data sent from UFs to indexers, configure SSL and hostname validation in outputs.conf on UFs.
- Consult Docs: Always refer to Splunk documentation for the most up-to-date guidance on specific configuration options: <invalid link removed>
~ If the reply helps, a Karma upvote would be appreciated
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you sure that DS initiates connection. If you disable 8089 port on UF still UF is able to phone home to DS and receive app. How can DS initiate connection if UF does not even have a listening port.
It seems communication is initiated from UF to DS.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
