Documentation > Splunk > Admin Manual > Use SSL encryption between forwarders and receivers

Admin Manual

 


Welcome
What to do first
Start Splunk
Meet Splunk Web and Splunk Apps
Before you configure
Add data and configure inputs
Indexing and event processing
Timestamps
Add and manage users
Manage indexes
Define alerts
Set up backups and retention policies
Configure data security
Set up forwarding and receiving
Deploy to other Splunk instances
Set up distributed search
Manage search jobs
Use Splunk's command line interface (CLI)
Configuration file reference
Troubleshooting

Use SSL encryption between forwarders and receivers

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

Use SSL encryption between forwarders and receivers

You can specify that communications between your forwarders and receivers use SSL authentication and encryption, or just encryption.

To set this up, you will edit a copy of inputs.conf on each receiver, and a copy of outputs.conf on each forwarder. If you're setting this up for a large number of Splunk forwarders and receivers, you can make a copy of the appropriate configuration file, edit it to reflect your desired configurations, and then copy it into the $SPLUNK_HOME/etc/system/local directory on each system to be configured this way.

To set up SSL on the forwarder, set the following attribute/value pairs. If you want to use SSL for authentication, add a stanza for each receiver that must be certified.

Set up SSL on the forwarder

To set up SSL on the forwarder, edit $SPLUNK_HOME/etc/system/local/outputs.conf. If you deployed the forwarder as an app, edit $SPLUNK_HOME/etc/apps/<app>/outputs.conf where <app> is the app containing your forwarder configuration.

If you want to use SSL for authentication, add a stanza for each receiver that you want to be certified. 

[tcpout-server://$IP_OR_HOST:$PORT]
sslCertPath=<full path to local forwarder's certificate>
sslPassword=<private key password for local forwarder's certificate>
sslRootCAPath=<path to the public key certificate of the authority who signed the indexer's certificate>
sslVerifyServerCert=<true|false>
sslCommonNameToCheck=<indexers's common name, set only if sslVerifyServerCert is set to true>
altCommonNameToCheck=<indexers's alternate name, set only if sslVerifyServerCert is set to true>

The sslCertPath key/value pair is used to specify the full path to the certificate file of the local (forwarding) machine. This file must include the private key of the certificate

If set to true sslVerifyServerCert will make sure that the indexer you are connecting is a valid one (authenticated). Both the common name and the alternate name of the server are then checked for a match. Defaults to false.

sslCommonNameToCheck checks the common name of the server's certificate against this name. If there is no match, assume that we aren't authenticated against this server. You must specify this key/value pair if 'sslVerifyServerCert' is true.

altCommonNameToCheck checks the alternate name of the server's certificate against this name. If there is no match, assume that we aren't authenticated against this server. You must specify this key/value pair if 'sslVerifyServerCert' is true.

Set up encryption only

To send with encryption only, configure your SSL stanza in $SPLUNK_HOME/etc/system/local/outputs.conf (or $SPLUNK_HOME/etc/apps/<app>/outputs.conf if you deployed your forwarder as an app) as follows: 

[tcpout-server://$IP:$PORT]
sslCertPath=/home/myhome/certs/myforwarderprivate.pem
sslPassword=password
sslRootCAPath=/home/myhome/certs/capublic.pem
sslVerifyServerCert=<true|false>

Note: You can set up the stanza either for a specific [tcpout-server://$IP:$PORT] or for a server group or a default group.

Set up encryption and authentication

To set up SSL for authentication as well as encryption, configure your SSL stanza in $SPLUNK_HOME/etc/system/local/outputs.conf (or $SPLUNK_HOME/etc/apps/<app>/outputs.conf if you deployed your forwarder as an app) as follows: 

[tcpout-server://$IP:$PORT]
sslCertPath=<full path to local forwarder's certificate>
sslRootCAPath=<path to the public key certificate of the authority who signed the indexer's certificate>
sslVerifyServerCert=<true|false>
sslCommonNameToCheck=<server's common name, set only if sslVerifyServerCert is set to true>
altCommonNameToCheck=<server's alternate name, set only if sslVerifyServerCert is set to true>

Note: You will have to write a stanza for each unique outbound connection that authenticates via SSL.

Set up SSL on the receiver

To use SSL for receiving you must do two things: 

[SSL]                                                                                                                                                                                                                                                                                       
serverCert=<full path to the indexer's certificate>
password=<indexer's certificate's private key password, if any>
rootCA=<optional path to the public key certificate of the authority who signed forwarder certificates>
requireClientCert=<true|false> - set to true if you are setting up authentication

The serverCert key/value pair is used to specify the path to the indexer's certificate file. The certificate must include the private key.

password is used if the certificate uses a password. Optional.

The optional rootCA key/value pair is used to specifically the path to the certificate authority's public key certificate. The private key is not needed in this certificate. This should be the CA who signed the certificates of all incoming (forwarder) clients.

If you want the system to require a valid certificate from the client in order to complete the connection, set requireClientCert to 'true' otherwise set it to 'false'. If 'true', then rootCA will be required.

If you wish, you can use different certificates on different ports, thus allowing different sets of clients to connect to different ports. 

[splunktcp-ssl:9996]

The above stanza will start a listener for another Splunk server's encrypted cooked data on port 9996. 

[tcp-ssl:9995]

The above stanza will start a listener for raw encrypted data on port 9995.

Example SSL configuration between forwarder and receiver

The following is an example configuration to set up SSL encryption (but not authentication):

On the indexer inputs.conf

[SSL]
serverCert=$SPLUNK_HOME/etc/auth/server.pem
password=password
requireClientCert=false

[splunktcp-ssl:9996]
compressed = true

On the forwarder outputs.conf

[tcpout]
defaultGroup = default-clone-group-fwtgsplunklc4.fake.com_9996

[tcpout:default-clone-group-fwtgsplunklc4.fake.com_9996]
server = 10.1.5.148:9996
compressed = true

[tcpout-server://10.1.5.148:9996]
sslCertPath=$SPLUNK_HOME/etc/auth/server.pem
sslPassword=password
sslRootCAPath=$SPLUNK_HOME/etc/auth/cacert.pem
sslVerifyServerCert=false

On Windows, this is the same with the alternate slashes: 

[tcpout-server://10.1.5.148:9996]
sslCertPath=$SPLUNK_HOME\etc\auth\server.pem
sslPassword=password
sslRootCAPath=$SPLUNK_HOME\etc\auth\cacert.pem
sslVerifyServerCert=false
Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.0.6/Admin/UseSSLencryptionbetweenforwardersandreceivers"

This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!