Refine your search:

How to configure SSL for forwarding and receiving data

2
6

We are running Splunk V3, but are spinning up a new Splunk V4 server, which we will migrate to. We will likely only migrate some saved searches and reports, not existing log data.

I'm configuring SSL for encryption only (at this point), between a forwarder and the receiver. I have been following the docs, but would like some help.

Do customers typically configure SSL using certificates they have created, or using the certificate which Splunk generates at install (E.G. /opt/splunk/etc/auth/server.pem)? IF we use a certificate which we create, do we need to self-sign that certificate, and tell the Splunk receiver and the forwarder about that CA?

I wasn't sure what the password was for the Splunk generated cert, so I created my own cert. I am currently getting this error on the receiver:

01-14-2010 17:13:20.711 INFO TcpInputProc - Connection in cooked SSL mode from IP=selma.cair.du.edu
01-14-2010 17:13:20.712 ERROR TcpInputFd - SSL Error = error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
01-14-2010 17:13:20.712 ERROR TcpInputFd - SSL Error for fd from HOST:selma.cair.du.edu, IP:130.253.1.77, PORT:33212

Here are my current configuration changes...

On the receiver, /opt/splunk/etc/system/local/inputs.conf:

[default]
host = splunk4
# ifetch: Require SSL, for encryption but not auth, for forwarders
[SSL]
serverCert=$SPLUNK_HOME/etc/system/local/9996.pem
requireClientCert=false
[splunktcp-ssl:9996]
# I am not specifying a queue here, do I need to?

ON the forwarder, /opt/splunk/etc/system/local/outputs.conf:

[tcpout-server://splunk4.cair.du.edu:9996]
sslCertPath=$SPLUNK_HOME/etc/system/local/selma.pem
sslVerifyServerCert=false

Thanks,

asked 10 Feb '10, 19:59

Splunker_J's gravatar image

Splunker_J ♦
1.1k5531
accept rate: 62%

edited 01 Apr '10, 15:11

gkanapathy's gravatar image

gkanapathy ♦
32.4k4827
One Answer:
oldestnewestmost voted
7

Most people use the Splunk ones, which is plenty to stop casual eavesdropping, though of course a hardworking and informed snooper can get hold of the Splunk CA (since it comes with every download of Splunk) and try to use that to decrypt captured traffic.

If you have your own certificate, you need the cert with its corresponding private key embedded (same as for a web server), plus you need to have the signing CA public cert.

The following configuration works with the default Splunk certs. The passwords for the generated server certificate private key (server.pem) is literally password. (That happens to be the same password as used for the shipped CA's (ca.pem) signing private key.) We do not need to use ca.pem here, we only need the public key of the signing CA, which is in cacert.pem. cacert.pem is simply ca.pem, but without the private key.

Indexer:

[splunktcp-ssl:9998]
compressed = true

[SSL]
serverCert = $SPLUNK_HOME/etc/auth/server.pem
password = password
requireClientCert = false

Forwarder:

[tcpout]
defaultGroup = splunkindexer

[tcpout:splunkindexer]
server = splunkindexer001:9998
compressed = true

[tcpout-server://splunkindexer001:9998]
sslCertPath = $SPLUNK_HOME/etc/auth/server.pem
sslRootCAPath = $SPLUNK_HOME/etc/auth/cacert.pem
sslVerifyServerCert = false
sslPassword = password

To be honest, I don't see why the Forwarder needs to have sslCertPath or sslPassword set, since the Indexer has requireClientCert = false and doesn't have the CA configured at all, but it won't work without it. This might be a bug. (It's basically a waste of time to authorize clients with the default CA, since every Splunk forwarder in the world has a cert signed by that one.)

If using your own certificate, you would replace server.pem with server certificates (which may be different between Forwarder and Indexer), password (on both sides) with the corresponding password for the server.pem, and cacert.pem with your CA's public key certificate.

link

answered 10 Feb '10, 20:34

gkanapathy's gravatar image

gkanapathy ♦
32.4k4827
accept rate: 41%

In case it's unclear, cacert.pem should be the public key of the CA that signed the certificate server.pem that sits on the opposite end of the connection. In the case of the shipped certficiates, these are the same, but it's not necesssarily so.

(10 Feb '10, 20:41) gkanapathy ♦

Another thing: I have compression enabled. You should enable compression when using SSL. Compressing bytes (and uncompressing) bytes away generally takes less computation than encrypting (and decrypting) those bytes, and you reduce transmission bandwidth.

(10 Feb '10, 21:08) gkanapathy ♦

Information about setting up SSL forwarding with host authentication and self-signed certificates can be found here : http://answers.splunk.com/questions/7164/how-do-i-set-up-ssl-forwarding-with-new-self-signed-certificates-and-host-authen

(23 Sep '10, 06:55) hexx ♦
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×635
×372
×106

Asked: 10 Feb '10, 19:59

Seen: 5,028 times

Last updated: 01 Apr '10, 15:11

Related questions

Unable to configure SSL even with built-in certs

Why is it necessary to have a certificate for the forwarder?

Forwarding and Receiving

TcpInputFd - SSL Error

Forwarding and receiving pre setup

Need help to configure indexer and forwarder

Forwarding And Receiving Issue

How to forward indexed data to another splunk receiver?

Copyright © 2005-2012 Splunk Inc. All rights reserved.