topic Re: Using Self Signed SSL Certs on Index Servers in Security

Using Self Signed SSL Certs on Index Servers

brent_weaver — Fri, 26 Aug 2016 17:15:15 GMT

I am trying to setup SSL security from the fwd clients to the index servers. I am looking at the atricle http://docs.splunk.com/Documentation/Splunk/6.4.2/Security/ConfigureSplunkforwardingtousesignedcertificates but cannot figure it out.

[SSL]
rootCA = $SPLUNK_HOME/etc/auth/mycerts/myCACertificate.pem
serverCert = $SPLUNK_HOME/etc/auth/mycerts/myNewServerCertificate.pem
password = <server certificate private key password>
cipherSuite = <your chosen cipher suite (optional)>

[splunktcp-ssl:9997]
compressed = true

What file is what? What file should rootCA point to? I assume the cert authority file. It seems that the serverCert is chained in some way.

Any help is MUCH appreciated!

Re: Using Self Signed SSL Certs on Index Servers

renjith_nair — Sun, 28 Aug 2016 03:26:58 GMT

Hello There,

It is certificate authority file (Root file from Certifacate authority you used to sign the certificate). Please have a look at the SSL stanza of inputs.conf for description

[SSL]
* Set the following specifications for SSL underneath this stanza name:

serverCert = <path>
* Full path to the server certificate.

password = <string>
* Server certificate password, if any.

rootCA = <string>
* Certificate authority list (root file).

requireClientCert = [true|false]
* Determines whether a client must authenticate.
* Defaults to false.

sslVersions = <string>
* Comma-separated list of SSL versions to support
* The versions available are "ssl2", "ssl3", "tls1.0", "tls1.1", and "tls1.2"
* The special version "*" selects all supported versions.  The version "tls"
  selects all versions tls1.0 or newer
* If a version is prefixed with "-" it is removed from the list
* When configured in FIPS mode ssl2 and ssl3 are always disabled regardless of this configuration
* Defaults to "*,-ssl2".  (anything newer than SSLv2)

supportSSLV3Only = [true|false]
* DEPRECATED.  SSLv2 is now always disabled by default.  The exact set of
  SSL versions allowed is now configurable via the "sslVersions" setting above

cipherSuite = <cipher suite string>
* If set, uses the specified cipher string for the input processors.
* If not set, the default cipher string is used.
* Provided by OpenSSL. This is used to ensure that the server does not
  accept connections using weak encryption protocols.

Re: Using Self Signed SSL Certs on Index Servers

svenwendler — Mon, 29 Aug 2016 04:46:58 GMT

Here is a script that will create all the certs you need:

echo "Create CA Private Key"
openssl genrsa -des3 -out myCAPrivateKey.key 2048
echo
echo "Create CA  myCACertificate.csr"
openssl req -new -key myCAPrivateKey.key -out myCACertificate.csr
echo
echo "Create myCACertificate.pem"
openssl x509 -req -in myCACertificate.csr -sha256 -signkey myCAPrivateKey.key -CAcreateserial -out myCACertificate.pem -days 1095
echo
echo "Create myServerPrivateKey.key"
openssl genrsa -des3 -out myServerPrivateKey.key 2048
echo
echo "Gen myServerCertificate.csr"
openssl req -new -key myServerPrivateKey.key -out myServerCertificate.csr
echo
echo "Gen myServerCertificate.pem"
openssl x509 -req -in myServerCertificate.csr -sha256 -CA myCACertificate.pem -CAkey myCAPrivateKey.key -CAcreateserial -out myServerCertificate.pem -days 1095
echo
echo "Gen myClientPrivateKey.key"
openssl genrsa -des3 -out myClientPrivateKey.key 2048
echo
echo "Gen myClientCertificate.csr" 
openssl req -new -key myClientPrivateKey.key -out myClientCertificate.csr
echo
echo "Gen myClientCertificate.pem"
openssl x509 -req -in myClientCertificate.csr -sha256 -CA myCACertificate.pem -CAkey myCAPrivateKey.key -CAcreateserial -out myClientCertificate.pem -days 1095
echo
echo "Concatinating private key to end of client cert"
cat myClientPrivateKey.key >> myClientCertificate.pem
echo
echo "Concatinating private key to end of server cert"
cat myServerPrivateKey.key >> myServerCertificate.pem

Your root CA will be "myCACertificate.pem"

Re: Using Self Signed SSL Certs on Index Servers

brent_weaver — Mon, 29 Aug 2016 12:11:35 GMT

Guys thank you VERY much for your response, I have certificates issues from a certificate authority and am not creating them on the splunk servers.

Re: Using Self Signed SSL Certs on Index Servers

brent_weaver — Mon, 29 Aug 2016 12:23:59 GMT

Hey thank you for the response. So if the rootCA is the certificate auth file, what is the serverCert file? Is that the chained file? I have this running on an existing splunk cluster and the serverCert file seems to be a chain of 5 ssl keys?!?!?

As much as I love splunk, this documentation is not very detailed! Any help is much appreciated, and remember I got official certs from a cert authority, i am not looking to create self signed certs

Re: Using Self Signed SSL Certs on Index Servers

brent_weaver — Mon, 29 Aug 2016 12:24:44 GMT

The what is serverCert file?

Re: Using Self Signed SSL Certs on Index Servers

renjith_nair — Mon, 29 Aug 2016 12:48:52 GMT

Server cert is the cert you have written for the server. The server cert pem file will have both cert and your private key and the rootCA is the trusted certificate which will have the root ca or sub ca cert chain.

    For eg: If you have p12 file from your provider,

    openssl pkcs12 -in <your cert>.p12 -cacerts -out rootCA.pem

    openssl pkcs12 -in <your cert>.p12 -clcerts -out serverCert.pem

Re: Using Self Signed SSL Certs on Index Servers

brent_weaver — Tue, 29 Sep 2020 10:51:21 GMT

Now I am seeing this on the FWD servers from splunkd.log

08-30-2016 18:03:19.804 +0000 ERROR SSLCommon - Can't read key file /opt/splunk/etc/auth/fwd/star_gehccloud_com_public.pem errno=151441516 error:0906D06C:PEM routines:PEM_read_bio:no start line.

Re: Using Self Signed SSL Certs on Index Servers

renjith_nair — Wed, 31 Aug 2016 02:00:49 GMT

Splunk is not able to read your file due to issues in PEM format. Check if it has valid header line and also check if there are any special characters like ^M

Re: Using Self Signed SSL Certs on Index Servers

brent_weaver — Wed, 31 Aug 2016 12:02:41 GMT

There does seems to be a header:

-----BEGIN CERTIFICATE-----

And there is no ^M (CR) in the file.... This cannot be that difficult!