https://community.splunk.com/t5/Security/Issue-while-enabling-sse-c-on-remote-store/m-p/430650#M10141 <P>I am enabling smart store on Splunk 7.2.6 with SSE-C. My smart store is working without SSL parameters successfully. </P> <P><A href="https://docs.splunk.com/Documentation/Splunk/7.2.5/Indexer/SmartStoresecuritystrategies">https://docs.splunk.com/Documentation/Splunk/7.2.5/Indexer/SmartStoresecuritystrategies</A></P> <P>After adding below configuration to <CODE>/opt/splunk/etc/_master-apps/_cluster/local/indexes.conf</CODE> trying to apply the bundle to form clustermaster UI and facing an issue: <STRONG><EM>Bad SSL settings for KMS leading to bad ssl context for volume=remote_store</EM></STRONG>. <BR /> I am using AWS role for S3 buket access.</P> <PRE><CODE>[volume:remote_store] storageType = remote path = s3://buket-name remote.s3.access_key = remote.s3.secret_key = remote.s3.endpoint = <A href="https://s3.us-west-2.amazonaws.com" target="test_blank">https://s3.us-west-2.amazonaws.com</A> remote.s3.encryption = sse-c remote.s3.encryption.sse-c.key_type = kms remote.s3.encryption.sse-c.key_refresh_interval = 86400 remote.s3.kms.auth_region = us-west-2 remote.s3.kms.key_id = xxxxxxxxxxxxxxxxxxxxxxxx remote.s3.kms.sslAltNameToCheck = s3.us-west-2.amazonaws.com remote.s3.kms.sslVerifyServerCert = true remote.s3.kms.sslVersions = tls1.2 remote.s3.kms.sslRootCAPath = /tmp/s3.us-west-2.amazonaws.com.pem remote.s3.kms.cipherSuite = ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256 remote.s3.kms.ecdhCurves = prime256v1,secp384r1,secp521r1 </CODE></PRE> <P>My Splunk env is running on AWS EC2 instances.<BR /> s3.us-west-2.amazonaws.com.pem is pem cert with root chain included</P> Wed, 24 Apr 2019 14:44:23 GMT bsrikanthreddy5 2019-04-24T14:44:23Z https://community.splunk.com/t5/Security/Issue-while-enabling-sse-c-on-remote-store/m-p/430650#M10141 <P>I am enabling smart store on Splunk 7.2.6 with SSE-C. My smart store is working without SSL parameters successfully. </P> <P><A href="https://docs.splunk.com/Documentation/Splunk/7.2.5/Indexer/SmartStoresecuritystrategies">https://docs.splunk.com/Documentation/Splunk/7.2.5/Indexer/SmartStoresecuritystrategies</A></P> <P>After adding below configuration to <CODE>/opt/splunk/etc/_master-apps/_cluster/local/indexes.conf</CODE> trying to apply the bundle to form clustermaster UI and facing an issue: <STRONG><EM>Bad SSL settings for KMS leading to bad ssl context for volume=remote_store</EM></STRONG>. <BR /> I am using AWS role for S3 buket access.</P> <PRE><CODE>[volume:remote_store] storageType = remote path = s3://buket-name remote.s3.access_key = remote.s3.secret_key = remote.s3.endpoint = <A href="https://s3.us-west-2.amazonaws.com" target="test_blank">https://s3.us-west-2.amazonaws.com</A> remote.s3.encryption = sse-c remote.s3.encryption.sse-c.key_type = kms remote.s3.encryption.sse-c.key_refresh_interval = 86400 remote.s3.kms.auth_region = us-west-2 remote.s3.kms.key_id = xxxxxxxxxxxxxxxxxxxxxxxx remote.s3.kms.sslAltNameToCheck = s3.us-west-2.amazonaws.com remote.s3.kms.sslVerifyServerCert = true remote.s3.kms.sslVersions = tls1.2 remote.s3.kms.sslRootCAPath = /tmp/s3.us-west-2.amazonaws.com.pem remote.s3.kms.cipherSuite = ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256 remote.s3.kms.ecdhCurves = prime256v1,secp384r1,secp521r1 </CODE></PRE> <P>My Splunk env is running on AWS EC2 instances.<BR /> s3.us-west-2.amazonaws.com.pem is pem cert with root chain included</P> Wed, 24 Apr 2019 14:44:23 GMT https://community.splunk.com/t5/Security/Issue-while-enabling-sse-c-on-remote-store/m-p/430650#M10141 bsrikanthreddy5 2019-04-24T14:44:23Z https://community.splunk.com/t5/Security/Issue-while-enabling-sse-c-on-remote-store/m-p/430651#M10142 <P>Recommendation from Splunk PS: </P> <P>SSE-C (Customer Managed Keys)<BR /> This is the recommended option in the documentation but this will change very soon.</P> <P>Advantages<BR /> The self-managed key so there is an element of trust as the creator/generator of the key.<BR /> No KMS API operation limits to contend with.</P> <P>Disadvantages<BR /> Keys are in plain text on the indexes.conf file. This would not pass a security risk assessment.<BR /> Advanced key management requires an advanced key management solution e.g. Hardware Security Modules for storage and management.<BR /> To rotate keys, you need to move the data from SmartStore back to an EBS volume and re-upload the data with the new key. Splunk cannot be running during this operation. This is by far the biggest drawback.<BR /> SSE-C while technically valid requires more due care of the customer to ensure adequate protection of the data and is subject to human error and misconfiguration. It is only appropriate for customers with specific requirements to use customer-managed keys.</P> <P>SSE-KMS has Amazon manage your keys for you and is more flexible than SSE-C. There are limits that are described here: <A href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">https://docs.aws.amazon.com/kms/latest/developerguide/limits.html</A></P> Wed, 09 Oct 2019 19:23:44 GMT https://community.splunk.com/t5/Security/Issue-while-enabling-sse-c-on-remote-store/m-p/430651#M10142 bsrikanthreddy5 2019-10-09T19:23:44Z