I'm using Splunk Enterprise 8.2.5 on Windows (both indexers and Forwarders). I have modified inputs.conf on the indexer as follows to referebce my PJI signed certificate/key pair:
[splunktcp-ssl:9998] disabled = 0
[SSL] serverCert = C:\Program Files\Splunk\etc\auth\mycert\my.pem sslPassword = mypassword requireClientCert = false sslVersions = *,-ssl2,-ssl3,-tls1.0,-tls1.1
After service restart I see port 9998 listening on the indexer. I added the following config to the outputs.conf of my forwarder:
[tcpout:production] server = myindexerfqdn:9998 useSSL = true
No data is getting forwarded though and the following is raised in splunkd.log at the forwarder:
03-29-2022 13:01:11.229 +0100 ERROR SSLCommon [37916 parsing] - Can't read certificate file errno=33558528 error:02001000:system library:fopen:system library 03-29-2022 13:01:11.229 +0100 ERROR TcpOutputProc [37916 parsing] - Error initializing SSL context - check splunkd.log regarding configuration error for server myindexerfqdn:9998
What is the windows forwarder looking for? I set the indexer not to verify client certs but does the forwarder need a client certificate (self-signed or otherwise) generated regardless to use SSL ?
... View more