Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why does UF still require clientCert when requireClientCert is already disable in indexer?

splunker686
Explorer
‎02-13-2023 09:08 AM

Hello Splunkers, I would like to understand why a cert is need for the UF, when indexer already has requireClientCert disabled.  Thanks in advance.

On indexer, we have the following inputs.conf stanza configured:

[splunktcp-ssl:9997]
[SSL]
serverCert = $SPLUNK_HOME/etc/auth/mycerts/myServerCert.pem
sslPassword = mySecret
requireClientCert = false

 

On the UF, we have the following outputs.conf stanza configured:

[indexer_discovery:cm1]
master_uri = https://cm1:8089
pass4SymmKey = mySecretSymmKey

[tcpout]
defaultGroup = ssl-test

[tcpout:ssl-test]
indexerDiscovery = master-es
useACK = true
useClientSSLCompression = false

The UF failed to connect to the indexer with the following errors seen in the UF's splunkd.log:

02-11-2023 02:57:57.421 +0000 ERROR TcpOutputProc [1715593 TcpOutEloop] - target=x.x.x.x:9997 ssl=1 mismatch with ssl config in outputs.conf for server, skipping..

The issue is resolved once we have set the clientCert in forwarder's outputs.conf stanza:

[tcpout:ssl-test]
indexerDiscovery = master-es
useACK = true
useClientSSLCompression = false
clientCert = $SPLUNK_HOME/etc/auth/mycerts/MyClientCert.pem

 

From our test so far, this requirement seems to be specific to splunktcp-ssl.  Inter-splunk communications between UF and deployment server or cluster manager (for indexer discovery) do not seem to require the client cert.

 

 

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply

splunker686
Explorer
‎02-13-2023 09:42 AM

Looks like setting "useSSL = true" in outputs.conf did the trick:

## outputs.conf.spec
useSSL = <true|false|legacy>
* Whether or not the forwarder uses SSL to connect to the receiver, or relies
  on the 'clientCert' setting to be active for SSL connections.
* You do not need to set 'clientCert' if 'requireClientCert' is set to
  "false" on the receiver.
* A value of "true" means the forwarder uses SSL to connect to the receiver.
* A value of "false" means the forwarder does not use SSL to connect to the
  receiver.
* The special value "legacy" means the forwarder uses the 'clientCert' property to
  determine whether or not to use SSL to connect.
* Default: legacy

 

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...