Security

SSL Certs and verification

edwardrose
Contributor

Hello All

I have the following configuration that I would like to see work if possible. A server in the DMZ setup as an intermediary to capture logs from devices in AWS being transported over the internet. Could one possibly have the following setup:

AWS universal forwarder 3rd party cert
server.conf:

[sslConfig]
sslRootCAPath = $SPLUNK_HOME/etc/auth/3rdpartycert/cacert.pem

outputs.conf

[tcpout]

[tcpout:dmz_fwd]
server = dmz-fwder.example.org:9997
disable = 0
clientCert = $SPLUNK_HOME/etc/auth/3rdpartycert/client.pem
useClientSSLCompression = true
sslPassword = <blah>
sslCommonNameToCheck = dmz-fwder.example.org
sslVerifyServerCert = true 

DMZ Host 3rd party Cert and Splunk Cert
inputs.conf:

[splunktcp-ssl:9997]
disabled = 0

[SSL]
serverCert = $SPLUNK_HOME/etc/auth/3rdpartycert/server.pem
sslPassword = password
requireClientCert = True

server.conf

[sslConfig]
sslRootCAPath = /opt/splunk/etc/auth/3rdpartycert/cacert.pem

Then the DMZ host would use the default certs and default SSL configuration to send the data into a secure network on our intranet. I am not sure it will work as due to the fact the server.conf on the DMZ host will have a conflict between the 3rd party cert and the Splunk out of the box cert.

server.conf required for default certs

[sslConfig]
sslRootCAPath = /opt/splunk/etc/auth/cacert.pem

Thoughts?

Thanks in advance

0 Karma

vishaltaneja070
Motivator

@edwardrose,

I dont think it will be problem. If you are sending data outside Splunk then the configuration will be there in outputs.conf and we are not specifying any ssl use there.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...