Hi Will,

Did you separate them just by a text editor. Or you did additional steps? (e.g passphrase to decrypt the pem file, ssl password if needed , etc)

Thanks,

Patrick

Hi @Paaattt 

Ye the file is ultimately a text file so you can use any regular text editor to edit and copy the contents into new files.

Good point about the encrypted key, Does Kiteworks offer a field for SSL Password (which will be in your UF app). If not you will need to remove the encrpytion from the key before you add it to Kiteworks

Use something like this

openssl rsa -in encrypted_key.pem -out decrypted_key.pem

When you run this command, OpenSSL will prompt you to enter the current password for the private key. After you provide the correct password, it will output the decrypted private key to the specified output file.

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Hi @livehybrid ,

Thank you. So Kiteworks accepts the following

SSL certificate
SSL Password
Root Certificate
Intermediate Certificate

So yeah I can move them to separate pem file. My remaining problem is the SSL Password key. Splunk told me that the passphrase is located in $SPLUNK_HOME/etc/apps/100_**/local/outputs.conf.
[tcpout]
sslPassword = [value]

I decrypted the value using 
$SPLUNK_HOME/bin/splunk show-decrypted --value '<encrypted_value>'

Unfortunately it is giving me this error
139750988822336:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:603:
139750988822336:error:0906A065:PEM routines:PEM_do_header:bad decrypt:crypto/pem/pem_lib.c:461:

A bad decrypt. What do you think did I miss? I am doubting the ssl password. But if this is the right step I need to try again and see how it goes.

Hi @livehybrid ,

I just have another question. The certificate works and we are now doing the ingestion. Thank you for that. On the Admin guide. I have to do the following on Splunk Cloud:

1. Create Index
2. Enable receiver 9997
3. Enable TCP Inputs 514

We got a blocker on TCP Inputs. Ideally should be easy as like Settings > Data Inputs > Forwarded Inputs > TCP on the HF. But our approach is on Splunk Cloud (We don't use HF on this data even if we have for others. Project decided to have a saas to saas integration for KW). Now the prompt looks like this 

"You currently don't have any forwarders installed. If you've recently installed a new forwarder, click the refresh button below to reload page."

Refreshing it does nothing.
While I understand this on an on-prem deployment perspective. I can't fully understand the project's approach. the Admin guide provided as well is not helpful. No troubleshooting part for Splunk Cloud.

How did you proceed on the ingestion piece?

Thanks @livehybrid . Looks like I am decrypting it wrong. Need to ad '' as prefix and suffix. All good now. Thank you!!!