Security

Why am I getting an error in splunkd.log when setting up Splunk Port 9997 SSL

JarrettM
Path Finder

Attempting to set up new Splunk 7.2.4.2 server on Redhat 7 using our own cert. Splunk web works fine with https using our cert. Configured inputs.conf and server.conf to allow ssl for receiving from forwarders. Get the following ERROR in splunkd.log:

TcpInputConfig - SSL context not found. Will not open splunk to splunk (SSL) IPv4 port 9997

inputs.conf and server.conf are as follows:

inputs.conf

[default]
host = myserver.com

[splunktcp-ssl:9997]
disabled = 0

[SSL]
serverCert = $SPLUNK_HOME/etc/auth/mycert.pem
sslPassword = mypassword
requireClientCert = false

server.conf

[general]
serverName = myserver.com
pass4SymmKey = symmkey

[sslConfig]
sslRootCAPath = $SPLUNK_HOME/etc/auth/rootcert.pem

Also perhaps a related issue?

 ERROR IntrospectionGenerator:resource_usage -  KVStoreConfigurationProvider - Unable to read an X509 cert from '' file

Thanks!

0 Karma

cvssravan
Path Finder

Looking at this specific error:
ERROR IntrospectionGenerator:resource_usage - KVStoreConfigurationProvider - Unable to read an X509 cert from '' file.

It seems like the file was not found. Make sure the $SPLUNK_HOME variable is set and verify the cert file in the specified path and try again.

0 Karma

JarrettM
Path Finder

Seems like it must be set and the cert file is in the path because my web.conf uses $SPLUNK_HOME with the same cert and it works:

web.conf

[settings]
enableSplunkWebSSL = 1
privKeyPath = $SPLUNK_HOME/etc/auth/mykey.pem
serverCert = $SPLUNK_HOME/etc/auth/mycert.pem
httpport = 8000

mgmtHostPort = 127.0.0.1:8089
appServerPorts = 8065

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!