The ICDx Splunk forwarder is configured to use and verify SSL(TLS). When you try to start the ICDx Splunk forwarder, the forwarder does not start and errors are found in the forwarder logs.

Similar to the following error is listed in the forwarder logs:

2020-09-23 12:43:15,955 [Splunk] WARN  com.symantec.http.support.HttpRequester -Send to Splunk 1, 100 event(s), 296830 bytes (uncompressed) attempt 1 - sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

2020-09-23 12:43:15,957 [Splunk] WARN  com.symantec.splunk.SplunkHttpWriterModule - SSL handshake problem. The Splunk server's certificate cannot be validated against to the certificate supplied in the SSL Certificate Path. Try changing the supplied certificate, or replacing the SSL certificates in Splunk, or disabling SSL verification.

Double-check settings:

    * Use SSL: true

    * Use SSL Verification: false

      (ignored because SSL Certificate Path is supplied)

    * SSL Certificate Path: /path/to/splunk_cert.pem

    * Use Hostname Verification: false

      (only applies when using SSL Certificate Path)

    * Host: ###.###.###.###

    * Port: 8088

    * Token: ****

    * Index not specified

    * Source Type not specified

    * Use Proxy: false

The "/path/to/splunk_cert.pem" is the value in the "SSL Certificate Path" configuration.

Release : 1.4.1

Component : Splunk forwarder

The issue occurs when the certificate found in the "SSL Certificate Path" configuration does not match the certificate used by the Splunk service.

To resolve this issue, ensure that the certificate found in the "SSL Certificate Path" is the same as that used by Splunk, or that nothing in the network path might be interfering with the certificate validation, such as a firewall or network device doing TLS deep inspection.