I am troubleshooting an SSL error.
I am receiving this error:
ERROR SSLCommon - Can't read key file C:\Program Files\SplunkUniversalForwarder\etc\auth\mycerts\server_cert.pem
I understand that it may be that the file can't read the hash. I'm trying to test my password to the server_cert.pem and I receive this error:
PS C:\Program Files\SplunkUniversalForwarder\bin> .\openssl rsa -in "C:\Program Files\SplunkUniversalForwarder\etc\auth\mycerts\server_cert.pem" -text
WARNING: can't open config file: C:\\jnkns\\workspace\\build-home/ssl/openssl.cnf
unable to load Private Key
6980:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:697:Expecting: ANY PRIVATE KEY
The openssl.cnf is located in the C:\Program Files\SplunkUniversalForwarder\openssl.cnf, so I do not know how its referring to C:\\jnkns\\workspace\\build-home/ssl/openssl.cnf.
I am not even prompted for a password.
Questions:
1. How do I change the path from C:\\jnkns\\workspace\\build-home/ssl/openssl.cnf to C:\Program Files\SplunkUniversalForwarder\openssl.cnf
2. Is it possible to enable SSL using the password hash for the server_cert.pem?
3. Does anyone have successful steps to follow to enable SSL (outside the splunk documentation)?
↧
Troubleshooting SSL Error on Forwarder
↧
appbrowser error ssl after installation
Hello everybody,
After the installation of Splunk, I can't to do a search on app.
The error message is : Error connecting: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed - please check the output of the `openssl verify` command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name..
Thank you for your help.
↧
↧
'Configure Splunk forwarding to use your own certificates' possible documentation error
Hi,
I'm trying to configure Splunk forwarders and indexers to use our own certificates and while checking the documentation (https://docs.splunk.com/Documentation/Splunk/7.2.6/Security/ConfigureSplunkforwardingtousesignedcertificates) I've seen the following:
**Configure your forwarders to use your certificates**
...
[tcpout:group1]
server=10.1.1.197:9997
disabled = 0
clientCert = The full path to the client SSL certificate in PEM format. If this value is provided, the connection will use SSL.
useClientSSLCompression = Disabling tls compression can cause bandwidth issues.
**sslPassword = The password for the CAcert**
I don't understand how can the CAcert password needed as this is a private password.
Is this correct? Is the documentation okay? Could someone explain the reason for this?
Thanks.
↧
Pushing self signed certificates to universal forwarders
Is there a Splunk recommended solution to pushing self signed SSL certificates to thousands of universal forwarders?
We tried bundling the certificates into an app and pushing it out to the universal forwarders. However, I believe that the default configurations set in /system/local/ on the universal forwarders will overwrite the configurations set within the app.
Is there a way around this or is there a better alternative solution?
↧
Force TLS 1.1+ for index replication
Our vulnerability scanner keeps hitting on SSLv3 on the port 8080 replication ports of our index cluster. I've added the following to server.conf:
`[sslConfig]
sslVersion = tls, -tls1.0`
Yet we are still getting hits for SSLv3 on the cluster nodes. Below is the full output of the btool server listing:
`[sslConfig]
allowSslCompression = true
allowSslRenegotiation = true
caCertFile = $SPLUNK_HOME/etc/auth/cacert.pem
caPath = $SPLUNK_HOME/etc/auth
certCreateScript = $SPLUNK_HOME/bin/splunk, createssl, server-cert
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256
ecdhCurves = prime256v1, secp384r1, secp521r1
enableSplunkdSSL = true
sendStrictTransportSecurityHeader = false
serverCert = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = XXXXXXXXXXX
sslVersions = tls, -tls1.0
sslVersionsForClient = tls1.2
useClientSSLCompression = true
useSplunkdClientSSLCompression = true
`
↧
↧
Splunk forwarder not working
Hi Splunkers,
One of my Universal forwarder was down for a month. So when i noticed I restarted the services back again but it is not coming up. I am facing the below error. Can someone please help
Splunk> Needle. Haystack. Found.
Checking prerequisites...
Checking mgmt port [8089]: open
Assertion failed: _linkp == nullptr, file /home/build/build-src/orangeswirl/src/util/TimeoutHeap.cpp, line 46
Dying on signal #6 (si_code=0), sent by PID 0 (UID 0). Attempting to clean up pidfile
ERROR: pid 8454562 terminated with signal 6
SSL certificate generation failed.
Can someone please assist
↧
Universal forwarder reporting "Error in SSL_read = 110" when forwarding to separate indexers.
Hi,
Is anyone familiar with this error code? I thought it may be the SSL certificates or a connection based issue but..
1. Checked cert expiration dates
2. Checked port 9998 came up and was using SSL in Splunk logs.
3. Checked on the syslogs to connect to both sets of indexers via OpenSSL and both return good connections. OpenSSL > s_client -connect x.x.x.x:9998
4. Saw connection attempts on tcpdump from the syslog ip addresses.
5. One set of indexers with the same certificates but behind a different firewall works. While another set of indexers show these errors and are not sending logs during the times we see these errors.
06-06-2019 23:31:39.538 +0000 INFO TcpOutputProc - Connection to x.x.x.x:xxxx closed. default Error in SSL_read = 110, SSL Error = error : 00000000:lib(0):func(0):reason(0)
↧
HTTP Event Collector SSL problem
Hi all,
I am trying to send events to HEC locally via CLI and keep getting a SSL error. I have looked up several docs, but I have not yet found the solution to it. My problem is like this:
Command:
`curl -vvv -k -H "Authorization: Splunk my-hec-token" https://mysplunkhost:8088/services/collector/event -d '{ [aWholeLotOfJSONformattedData] }'`
Return is:
* Hostname was NOT found in DNS cache
* Trying xx.xx.xx.xx...
* Connected to mysplunkhost (xx.xx.xx.xx) port 8088 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs/
* SSLv3, TLS unknown, Certificate Status (22):
* SSLv3, TLS handshake, Client hello (1):
* error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
* Closing connection 0
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Any advise on where I can fix this?
↧
Is mgmtHostPort secure?
Hello,
As most large companies do these days, I've been placed on a naughty list for my lab instance of Splunk, running on winServer. I've tracked it down to the mgmtHostPort.
How do I secure that port to use SSL/TLS?
FYI, my web interface is secured and using port 8000, it's this darn internal mgmt port.
Per the doc, I disable it via service.conf, Splunk basically is not usable for searching.
↧
↧
Splunk Self Signed Certificates
I've followed the steps to create self signed certificates for my Splunk instances as detailed here:
https://docs.splunk.com/Documentation/Splunk/7.2.6/Security/Howtoself-signcertificates
We reran the security scan and it detected this error:
The X.509 certificate chain for this service is not signed by a
recognized certificate authority. If the remote host is a public host
in production, this nullifies the use of SSL as anyone could establish
a man-in-the-middle attack against the remote host.
Note that this plugin does not check for certificate chains that end
in a certificate that is not self-signed, but is signed by an
unrecognized certificate authority. =
Can someone elaborate on this error? Does this mean the self signed certificate is negligible and similar to not having a certificate at all (using default Splunk certificates)? Or did I not generate the certificates correctly?
↧
Forwarder not starting
I have forwarder down since past two months, when i brought it up it generated errors.
No Splunkd logs have been created. I understand that Ulimit is not set as per Splunk documentation but it should start at least.
If someone can let me know what is the possible issue of Forwarder not starting.
Checking prerequisites...
WARNING: Data segment size limit (ulimit -d) is set low (134217728 bytes) Splunk may not work.
You may want to run "ulimit -d unlimited" before starting splunk.
WARNING: Resident memory size limit (ulimit -m) is set low (33554432 bytes) Splunk may not work.
You may want to run "ulimit -m unlimited" before starting splunk.
WARNING: File size limit (ulimit -f) is set low (1073741312 bytes) Splunk may not work.
You may want to run "ulimit -f unlimited" before starting splunk.
Checking mgmt port [8089]: open
**Assertion failed: _linkp == nullptr, file /home/build/build-src/orangeswirl/src/util/TimeoutHeap.cpp, line 46**
Dying on signal #6 (si_code=0), sent by PID 0 (UID 0). Attempting to clean up pidfile
ERROR: pid 5702028 terminated with signal 6
**SSL certificate generation failed**.
↧
Problem with DBConnect and disabled SSL on Http Event Collector
Hi all.
We have one Heavy Forwarder with DBConnect working successfully.
On the other hand, we need to configure Http Event Collector with SSL disabled, and if we do this, DBConnect stops working.
Does anybody knows if is possible to work with HEC without SSL in a way that doesn't affect to Dbconnect??
Thanks in advance.
↧
How to enable ALL TCP Data Input with SSL?
I knew I could config inputs.conf for **ONE PORT** like
[splunktcp-ssl:9997]
but is there any config I could set ssl as default to apply to all tcp port to use?
I mean if I add a new port (9999) from splunk web, I'd like it to use SSL, and **I do not need to config inputs.conf again.**
[splunktcp-ssl:9999]
Thanks
↧
↧
Forwarder SSL compression don't work
Hi Splunkers!
i'm trying to configure SSL compression beetween Forwarders & Indexers with default cert but the compression seem doesn't working.
On Indexer splunkd.log the flag useCompression is set to N --> useCompression=N and don't write the line "INFO TcpInputProc - Port 9998 is compressed" (based on https://docs.splunk.com/Documentation/Splunk/7.3.0/Security/Validateyourconfiguration):
07-16-2019 12:18:06.615 +0200 DEBUG TcpInputConfig - stanza="SSL", rootCAPath="C:\Program Files\Splunk\etc\auth\cacert.pem", certFile="C:\Program Files\Splunk\etc\auth\server.pem", privateKeyFile="C:\Program Files\Splunk\etc\auth\server.pem", privateKeyPassword_set=Y, commonNameToCheck="", altNameToCheck="", allowSslRenegotiation=Y, sslVersions="SSL3,TLS1.0,TLS1.1,TLS1.2", cipherSuite="ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM", ecdhCurves="prime256v1, secp384r1, secp521r1", dhFile="", useCompression=N, quietShutdown=N
07-16-2019 12:18:06.625 +0200 DEBUG TcpInputConfig - Attempting to load token cache
07-16-2019 12:18:06.625 +0200 INFO TcpInputConfig - IPv4 port 9998 is reserved for splunk 2 splunk (SSL)
07-16-2019 12:18:06.625 +0200 INFO TcpInputConfig - IPv4 port 9998 will negotiate s2s protocol level 4
07-16-2019 12:18:06.626 +0200 DEBUG TcpInputConfig - global prop rdnsMaxDutyCycle=10
Any idea on what to check?
Thanks
↧
Can we configure two different SSL certs on same Indexer for different set of forwarders to send data
Can we setup two different SSL cert's on 5 Indexer and configure 50 Forwarders to use the new certs and 100 forwarders to use the existing SSL certs as per below plan?
Current:
SSL cert1 > 5 Indexers and all the Forwarders
Test:
SSL cert1 > 5 Indexers and 100 forwarders
SSL cert2 > 5 Indexers and 50 forwarders
After:
SSL cert2 > 5 Indexers and 150 forwarders
Can anyone assist me if this setup is possible for testing new certs so the impact will be minimum rather than a trail and error method on all the forwarders. Thank you
↧
Issue while enabling sse-c on remote store
I am enabling smart store on Splunk 7.2.6 with SSE-C. My smart store is working without SSL parameters successfully.
https://docs.splunk.com/Documentation/Splunk/7.2.5/Indexer/SmartStoresecuritystrategies
After adding below configuration to `/opt/splunk/etc/_master-apps/_cluster/local/indexes.conf` trying to apply the bundle to form clustermaster UI and facing an issue: ***Bad SSL settings for KMS leading to bad ssl context for volume=remote_store***.
I am using AWS role for S3 buket access.
[volume:remote_store]
storageType = remote
path = s3://buket-name
remote.s3.access_key =
remote.s3.secret_key =
remote.s3.endpoint = https://s3.us-west-2.amazonaws.com
remote.s3.encryption = sse-c
remote.s3.encryption.sse-c.key_type = kms
remote.s3.encryption.sse-c.key_refresh_interval = 86400
remote.s3.kms.auth_region = us-west-2
remote.s3.kms.key_id = xxxxxxxxxxxxxxxxxxxxxxxx
remote.s3.kms.sslAltNameToCheck = s3.us-west-2.amazonaws.com
remote.s3.kms.sslVerifyServerCert = true
remote.s3.kms.sslVersions = tls1.2
remote.s3.kms.sslRootCAPath = /tmp/s3.us-west-2.amazonaws.com.pem
remote.s3.kms.cipherSuite = ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256
remote.s3.kms.ecdhCurves = prime256v1,secp384r1,secp521r1
My Splunk env is running on AWS EC2 instances.
s3.us-west-2.amazonaws.com.pem is pem cert with root chain included
↧
Which default certificate should I use to certify my HTTP Event Collector
I am running some C# code that sends a POST request to my Splunk HTTP Event Collector at the following URL - https://localhost:8088/services/collector/raw to submit a log
I am getting the following error: Peer certificate cannot be authenticated with given CA certificates ( If I make the request in Postman my logs are submitted no problem )
I am thinking that I need to load my Splunk servers default certificate onto the machine I am making the request from. If this is correct I need to know which of the default certificates ( this is just for testing purposes ) I should be loading that would be specific to my HEC. And also if the correct certificates I'm looking for are located here C:\Program Files\Splunk\etc\auth
↧
↧
REST API (rest_ta) SSL Error 20 Not a Directory
I am using the rest_ta app (https://splunkbase.splunk.com/app/1546/).
However, I have realized this application, by default, has SSL verify set to false.
I was creating a custom response handler for this app and kept receiving an SSL error 20 Not a Directory when my custom handler used the requests.get call and I did not set verify=False. Since I don't want to write code that leaves me open to a MITM attack, can anyone provide a solution? Or at least an explanation?
FYI: The error occurs no matter what HTTPS endpoint is called so its not an issue of the endpoint using a self signed certificate. Also, there is no "Enterprise MITM" proxy as I have confirmed the certificate chain using OpenSSL.
↧
Verifying Secure Communication between forwarders and indexers
I recently enabled SSL connection between forwarders and indexers. When I check the metrics log for a UF with SSL enabled , i see this in the data. The connection type is showing as cookedSSL but ssl=fasle. Does that mean the connection is not secure? And the surprising part is, i see events in metrics.log for the same host with ssl=true entries. I am confused.
08-15-2019 16:10:56.061 +0000 INFO Metrics - group=tcpin_connections, xx.zz.yy.xx:52306:9997, connectionType=cookedSSL, sourcePort=52306, sourceHost=10.176.240.50, sourceIp=10.176.240.50, destPort=9997, kb=0.33, _tcp_Bps=10.97, _tcp_KBps=0.01, _tcp_avg_thruput=1.19, _tcp_Kprocessed=158.37, _tcp_eps=0.03, _process_time_ms=0, evt_misc_kBps=0.00, evt_raw_kBps=0.00, evt_fields_kBps=0.00, evt_fn_kBps=0.00, evt_fv_kBps=0.00, evt_fn_str_kBps=0.00, evt_fn_meta_dyn_kBps=0.00, evt_fn_meta_predef_kBps=0.00, evt_fn_meta_str_kBps=0.00, evt_fv_num_kBps=0.00, evt_fv_str_kBps=0.00, evt_fv_predef_kBps=0.00, evt_fv_offlen_kBps=0.00, evt_fv_fp_kBps=0.00, build=f817a93effc2, version=7.2.7, os=Linux, arch=x86_64, hostname=deployer, guid=6C69F32A-8F26-4F9F-831D-CA1623C5FA4A, fwdType=full, ssl=false, lastIndexer="10.176.240.39:9997,10.176.240.85:9997", ack=true
↧
Splunk DB Connect to MySQL with SSL and cert
Does anyone has idea how to setup MySQL connection using SSL and certs?
I've read the answer below and imported my ca.pem into the keystore, but still not working?
Connect Splunk DB Connect to MariaDB with SSL and cert 1 answer
https://answers.splunk.com/answers/611126/connect-splunk-db-connect-to-mariadb-with-ssl-and.html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev
I've also search the web regarding jdbc connections using ssl certs, but still unable to see which or how am I suppose to load these certs into the app so I can connect to my database
and the db_connections.conf.spec.example from README folder included in the app doesn't have MySQL usage in it
I have
ssl-ca=ca.pem
ssl-cert=server-cert.pem
ssl-key=server-key.pem
which of these should I import into keystore/truststore?
↧