Security

What is the most simple way to enable SSL communication between my forwarders and indexers?

jbsplunk
Splunk Employee
Splunk Employee

Does anyone know where I can find a working configuration that shows splunk2splunk using ssl? I would really appreciate a working example

Tags (2)

georgen_splunk
Splunk Employee
Splunk Employee

updated for Enterprise versions 7.1

Indexer: $SPLUNK_HOME/etc/system/local/inputs.conf

[default]
host = indexerA1.chubbybunny.com

[splunktcp-ssl:9997]
compressed = true

[SSL]
sslPassword = password
requireClientCert = false
sslRootCAPath = $SPLUNK_HOME/etc/auth/ca.pem
serverCert = $SPLUNK_HOME/etc/auth/server.pem

Forwarder: $SPLUNK_HOME/etc/system/local/outputs.conf

[tcpout]
defaultGroup = splunkssl

[tcpout:splunkssl]
compressed = true
server = indexerA1.chubbybunny.com:9997
clientCert = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = password
sslRootCAPath = $SPLUNK_HOME/etc/auth/ca.pem
sslVerifyServerCert = false
0 Karma

sayash27
Explorer

here sslPassword is of ca.pem or server.pem? In case we have different password then which password we are going to use.

jworthington_sp
Splunk Employee
Splunk Employee

If you prefer to use your own certificates, you can also check out the following topic in the Securing Splunk guide:

http://docs.splunk.com/Documentation/Splunk/5.0.1/Security/ConfigureSplunkforwardingtousesignedcerti...

Chubbybunny
Splunk Employee
Splunk Employee

you got it.

Using the built-in certs on our UF's and indexers. We've managed to get SSL working for splunkTOsplunk communication using the following in/outputs.conf

Indexer: $splunk_home/etc/system/local/inputs.conf

[default]
host = indexerA1.chubbybunny.com

[splunktcp-ssl:9997]
compressed = true

[SSL]
password = password
requireClientCert = false
rootCA = $SPLUNK_HOME/etc/auth/ca.pem
serverCert = $SPLUNK_HOME/etc/auth/server.pem

Forwarder: $splunk_home/etc/system/local/outputs.conf

[tcpout]
defaultGroup = splunkssl

[tcpout:splunkssl]
compressed = true
server = indexerA1.chubbybunny.com:9997
sslCertPath = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = password
sslRootCAPath = $SPLUNK_HOME/etc/auth/ca.pem
sslVerifyServerCert = false

*while this simply secures the communication channel between the two, using the default certs comes with a risk.
Also - the default password for both (server.pem & ca.pem) is: password

.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!