Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why am I getting an error in splunkd.log when setting up Splunk Port 9997 SSL

JarrettM
Path Finder
‎03-07-2019 09:42 AM

Attempting to set up new Splunk 7.2.4.2 server on Redhat 7 using our own cert. Splunk web works fine with https using our cert. Configured inputs.conf and server.conf to allow ssl for receiving from forwarders. Get the following ERROR in splunkd.log:

TcpInputConfig - SSL context not found. Will not open splunk to splunk (SSL) IPv4 port 9997

inputs.conf and server.conf are as follows:

inputs.conf

[default]
host = myserver.com

[splunktcp-ssl:9997]
disabled = 0

[SSL]
serverCert = $SPLUNK_HOME/etc/auth/mycert.pem
sslPassword = mypassword
requireClientCert = false

server.conf

[general]
serverName = myserver.com
pass4SymmKey = symmkey

[sslConfig]
sslRootCAPath = $SPLUNK_HOME/etc/auth/rootcert.pem

Also perhaps a related issue?

 ERROR IntrospectionGenerator:resource_usage -  KVStoreConfigurationProvider - Unable to read an X509 cert from '' file

Thanks!

0 Karma
Reply

cvssravan
Path Finder
‎03-07-2019 10:32 AM

Looking at this specific error:
ERROR IntrospectionGenerator:resource_usage - KVStoreConfigurationProvider - Unable to read an X509 cert from '' file.

It seems like the file was not found. Make sure the $SPLUNK_HOME variable is set and verify the cert file in the specified path and try again.

0 Karma
Reply

JarrettM
Path Finder
‎03-07-2019 11:11 AM

Seems like it must be set and the cert file is in the path because my web.conf uses $SPLUNK_HOME with the same cert and it works:

web.conf

[settings]
enableSplunkWebSSL = 1
privKeyPath = $SPLUNK_HOME/etc/auth/mykey.pem
serverCert = $SPLUNK_HOME/etc/auth/mycert.pem
httpport = 8000

mgmtHostPort = 127.0.0.1:8089
appServerPorts = 8065

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

The Payment Operations Wake-Up Call: Why Financial Institutions Can't Afford ...

The same scenario plays out across financial institutions daily. A payment system fails at 11:30 AM on a busy ...

Make Your Case: A Ready-to-Send Letter for Getting Approval to Attend .conf25

Hello Splunkers, Want to attend .conf25 in Boston this year but not sure how to convince your manager? We've ...

Community Spotlight: A Splunk Expert's Journey

In the world of data analytics, some journeys leave a lasting impact not only on the individual but on the ...
Top