outputs.conf on forwarder gets its own cert. E.g. something like
[tcpout-server://192.168.1.100:9997]
sslRootCAPath = $SPLUNK_HOME/etc/certs/cacert.pem
sslCertPath = $SPLUNK_HOME/etc/certs/forwarder.pem
sslPassword = changeme2
For what reason does a forwarder needs its own certificate? Is it for decrypting indexer acknowledgements? Or are there any other reasons?
Because in my understanding, the ca-cert is sufficient for SSL handshake. Right? So if I don't use acknowledgements, I can skip sslCertPath & sslPassword?
This was a very helpful answer for me to understand Splunk's SSL:
[How do I set up SSL forwarding ...][1]
Thanks for help!
[1]: https://answers.splunk.com/answers/7164/how-do-i-set-up-ssl-forwarding-with-new-self-signed-certificates-and-authentication.html
↧