Configure Splunk forwarding to use your own certificates

You can send data from forwarders to indexers using your own certificates. You can either self-sign these certificates or use a third party to sign them. Using your own certificates to secure Splunk communications involves the following procedures:

• Configuring indexers to use a new signed certificate.
• Configuring forwarders to use a new signed certificate.

Prerequisites

Before you can secure communications between Splunk indexers and forwarders, you must procure and prepare the certificates. You must satisfy the following conditions:

• The certificates that you procure are Privacy-Enhanced Mail (.pem) files, and that the format of those files conforms with the x.509 public key certificate standard.
• The certificate key must be in RSA security format.

You can also create multiple certificates that are signed by the same Certificate Authority (CA) with different common names, and distribute those to your indexers for added security. When you give the forwarder the CA public key, the forwarder trusts the CA, verifies the certificate of the CA, and matches one of the SSL common names or alternative names, as configured by either the sslCommonNameToCheck or sslAltNameToCheck settings in the forwarder configuration file.

If you need help on creating and preparing your own certificates, see the following topics for more information:

• About securing data from forwarders
• About securing inter-Splunk communication

Configure indexers to use a signed certificates

1. Copy your server certificate and CA public certificate into an accessible folder on the indexer you want to configure. For example, you can use a destination folder of $SPLUNK_HOME/etc/auth/mycerts/
   

   If you configure the inputs.conf or outputs.conf configuration files in an app directory, the indexer does not encrypt the password, and the clear-text value remains in the file. You might want to create different certificates and sign them with the same root CA for use when you configure SSL in app directories.

2. Configure the inputs.conf file on the indexer to use the new server certificate. Add the following stanzas to $SPLUNK_HOME/etc/system/local/inputs.conf (or the appropriate directory of any app you are using to distribute your forwarding configuration), stanzas:

   [splunktcp-ssl:9997]
   disabled=0
   
   [SSL]
   serverCert = <Absolute path to the certificate. The default certificate can be found at 
   $SPLUNK_HOME/etc/auth/>
   
   sslPassword (Optional) = <password associated with the server certificate, if it exists>
   
   requireClientCert = "true" if you want your indexer to require authentication from
   the client (which in this case is the forwarder), "false" otherwise
   
   sslVersions (Optional) = <string of accepted password SSL versions. Default: the recommended 
   setting of "*,-ssl2", which is anything newer than SSLv2.>
   
   cipherSuite (Optional) = <cipher suite string. If not set, the indexer uses the default cipher string>
   
   sslCommonNameToCheck (Optional) = <commonName1>, <commonName2>, ... 
   If provided, the indexer checks the common name of the client certificate against 
   this list of names. If there is no match the Splunk instance is not authenticated. 
   You must set the 'requireClientCert' setting to "true" to use this setting.
   
   sslAltNameToCheck (Optional) = <alternateName1>, <alternateName2>, ... If provided, 
   the indexer checks the alternate name of the client certificate against this list of 
   names. If there is no match the Splunk instance is not authenticated. requireClientCert 
   setting must be set to "true" to use this setting.
   

   
   

   When you edit the configuration file in $SPLUNK_HOME/etc/system/local/inputs.conf, the indexer encrypts the password and overwrites the clear-text server certificate password that you provided when you restarted Splunk Enterprise.

3. On indexers that do not run on Windows, configure server.conf and add the following:
   

   sslRootCAPath = <Absolute path to the CA certificate. The default value is 
   $SPLUNK_HOME/etc/auth/cacert.pem>
   

4. Restart the splunkd process:

   # $SPLUNK_HOME/bin/splunk restart splunkd
   

Configure forwarders to use a signed certificate

1. Generate a new certificate. For instructions on how to create a certificate, see How to self-sign certificates.
2. Copy the new certificate and the CA public certificate myCACertificate.pem into an accessible folder on the forwarders you want to configure. For example, you can use a destination folder of $SPLUNK_HOME/etc/auth/mycerts/.
   

   If you configure inputs.conf or outputs.conf in an app directory, the forwarder does not encrypt the passwords and the clear-text value remains in the file. You might want to create different certificates (signed by the same root CA) to use when configuring SSL in app directories.

3. Define the [tcpout] stanza in $SPLUNK_HOME/etc/system/local/outputs.conf (or in the appropriate directory of any app you use to distribute your forwarding configuration):

   [tcpout:group1]
   
   server=10.1.1.197:9997
   
   disabled = 0
   
   clientCert = <The full path to the client SSL certificate, in PEM format. If this value is provided, the connection will use SSL.>
   
   useClientSSLCompression = true (Disabling TLS compression can cause bandwidth issues.)
   
   sslPassword (Optional) = <password for the client certificate>
   
   sslCommonNameToCheck (Optional) = <commonName1>, <commonName2>, ... 
   
   sslVerifyServerCert (Optional) = "true" if you want to use SSL common name checking. Default: No common name checking. 
   
   sslAltNameToCheck (Optional) = <alternateName1>, <alternateName2>, ... 
   
   cipherSuite = (Optional) Splunk uses any specified cipher string for the input 
   processors. If not set, Splunk uses the default cipher string provided by OpenSSL.
   

   
   When you save the file in $SPLUNK_HOME/etc/system/local/outputs.conf, Splunk Enterprise encrypts and overwrites the clear-text server certificate password on restart.
4. On forwarders that do not run on Windows, configure server.conf and add the following:
   

   [sslConfig]
   sslRootCAPath = <absolute path to the CA cert, for example, the default value 
   is $SPLUNK_HOME/etc/auth/cacert.pem>
   

5. Restart the splunkd process.
   

   $SPLUNK_HOME/bin/splunk restart splunkd
   

Forward data over SSL to more than one indexer

If you need to forward data securely to multiple indexers, complete the following procedure:

1. On the forwarder where you want to send data to multiple indexers, edit outputs.conf on the forwarder.
2. In the target output group definition stanza for the forwarder, add a host:port entry for each indexer to which you want to send data over SSL. Separate multiple entries with commas.
3. Save the outputs.conf file and close it.
4. Restart the forwarder.

The following example outputs.conf file uses the same certificate for the indexer and the forwarders:

[tcpout]

[tcpout:group1]
server = 10.1.12.112:9997,10.1.12.111:9999
disabled = 0
clientCert = $SPLUNK_HOME/etc/auth/client.pem
useClientSSLCompression = true Defaults to the value set in the useClientSSLCompression 
attribute set in server.conf.
sslPassword = <password for the client certificate>
sslCommonNameToCheck = indexercn.example.org
sslVerifyServerCert = true

Forward data to multiple indexers using certificates with different common names

You can create and configure one server certificate for each indexer by configuring outputs.conf on the forwarder with one server-specific [SSLConfig] stanza for each indexer.

If you have created one server certificate for each indexer and you have set a unique sslCommonNameToCheck or sslAltNameToCheck in each indexer certificate to be checked by the forwarders, you must configure one [tcpout-server://host:port] configuration stanza for each indexer in outputs.conf. This is so that you can specify which name to check for each indexer.

Next steps

Check the forwarder-indexer configuration to make sure it works. See Validate your configuration.