Re: Can we configure HF to receive encrypted traff...

ashishamalviya1 · ‎05-22-2017

HF config eg:-

inputs.conf

[splunktcp-ssl://9997]
disabled = 0

[SSL]
password = abc
requireClientCert = true
rootCA = /opt/splunk/splunk/etc/system/certs/xyz.pem
serverCert = /opt/splunk/splunk/etc/system/certs/abc.pem
sslVersions = tls

[splunktcp-ssl://9996]
disabled = 0

[SSL]
password = abc
requireClientCert = true
rootCA = /opt/splunk/splunk/etc/system/certs/xyz.cer
serverCert = /opt/splunk/splunk/etc/system/certs/def.pem
sslVersions = tls

using two different cert as one create with sha1 and other with sha256

Thanking

jkat54 · ‎05-23-2017

Yes but you put all the SSL KvPs you have under the splunktcp-ssl stanzas instead.

[splunktcp-ssl]
serverCert =
sslPassword =
requireClientCert =
sslVersions =
cipherSuite =
ecdhCurves =
dhFile =
allowSslRenegotiation = true|false
sslQuietShutdown = [true|false]
sslCommonNameToCheck = , , ...
sslAltNameToCheck = , , ...

ashishamalviya1 · ‎05-23-2017

above inputs.conf is working config if run with only single stanza, (i.e. either port 9996 or 9997), but this wont work when we combine config as shown above,
please try to provide config eg,

jkat54 · ‎07-15-2017

You can't have two [SSL] stanzas in the same inputs.conf. They are conflicting with one another.

You need to configure each cert under their respective [splunktcp-ssl://PORT] stanzas

Can we configure HF to receive encrypted traffic using SSL with port 9996 and port 9997 at a same time, using different cert for each,

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases