topic Re: https authentication in Security

https authentication

sarit_s — Mon, 27 May 2019 07:50:25 GMT

Hello
im trying to enable https on my server.
im getting the "splunk https site not secure" msg.
also the ssl is enabled under server settings

this is my web.conf file:

[settings]
enableSplunkWebSSL = true

privKeyPath = /opt/splunk/etc/auth/wildkey.key

serverCert = /opt/splunk/etc/auth/wildkey.pem

httpport = 8000

when removing the remarks from the rows splunk does not starts
what im doint wrong ?

Re: https authentication

koshyk — Mon, 27 May 2019 08:19:32 GMT

Please try web.conf with following settings. Also ensure the certs are "generated by Valid authority" for browser to identify. The self-signed certs may show errors depending on the browser
I'm guessing your wildkey.key format may be incorrect or is encrypted?

web.conf

[settings]
enableSplunkWebSSL = true
# absolute paths may be used here. and pem format for priv keys
privKeyPath = $SPLUNK_HOME/etc/auth/myprivatekey.pem
serverCert = $SPLUNK_HOME/etc/auth/mycacert.pem
sslPassword = <password_if_key_is_encrypted>

Your server.conf also needs sslConfig setup

Re: https authentication

sarit_s — Mon, 27 May 2019 08:27:37 GMT

thanks
this is the config i have is server.conf

[sslConfig]
sslPassword =

what pass is it , do you know ? should i change it ?

also, can you please guide me how to create the certificate so it will be acceptable by the browser ? it is not me who creates the certs and i want to guide the relevant guy

Re: https authentication

DavidHourani — Mon, 27 May 2019 09:01:32 GMT

Hi @sarit_s,

Hope you're well, to enable https without your own certs use this :

[settings] 
enableSplunkWebSSL = true

If you want to add your own certs please follow this guide step by step to be sure you're not missing anything :
https://docs.splunk.com/Documentation/Splunk/7.2.6/Security/SecureSplunkWebusingasignedcertificate

And here is the documentation for creating your own certs for Splunk :
https://docs.splunk.com/Documentation/Splunk/7.2.6/Security/AboutcreatingcertificatesforSplunk

Please let me know if you're stuck anywhere.

Cheers,
David

Re: https authentication

sarit_s — Mon, 27 May 2019 09:06:07 GMT

Hi David,
thanks
this is exactly what i did but when trying to start splunk the service is up and web not starts

Re: https authentication

DavidHourani — Mon, 27 May 2019 09:07:51 GMT

you added this and it's not working ?

[settings]
enableSplunkWebSSL = true

Re: https authentication

DavidHourani — Mon, 27 May 2019 09:09:00 GMT

Please check what errors you're getting in /opt/splunk/var/log/splunk/splunkd.log and post it here, we should be able to solve the problem with that

Re: https authentication

sarit_s — Wed, 30 Sep 2020 00:43:03 GMT

this is what i see:

HttpListener - Socket error from 10.11.44.171:65337 while idling: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown

SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read finished A', alert_description='certificate unknown'.

SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client key exchange A', alert_description='certificate unknown'.

X509Verify - X509 certificate (O=SplunkUser,CN=usnv02splunk01) should not be used, as it is issued by Splunk's own default Certificate Authority (CA). This puts your Splunk instance at very high-risk of the MITM attack. Either commercial-CA-signed or self-CA-signed certificates must be used; see:

Re: https authentication

DavidHourani — Wed, 30 Sep 2020 00:40:36 GMT

Check if anything is pointing to Splunk's default certs and make sure that your certs are the ones that Splunk is pointing to :
$SPLUNK_HOME/bin/splunk cmd btool inputs list --debug
$SPLUNK_HOME/bin/splunk cmd btool outputs list --debug
$SPLUNK_HOME/bin/splunk cmd btool server list --debug

Re: https authentication

sarit_s — Mon, 27 May 2019 10:13:46 GMT

i see this:
/opt/splunk/etc/system/default/server.conf serverCert = $SPLUNK_HOME/etc/auth/server.pem

/opt/splunk/etc/system/default/server.conf caCertFile = $SPLUNK_HOME/etc/auth/cacert.pem

/opt/splunk/etc/system/default/server.conf caCertFile = $SPLUNK_HOME/etc/auth/appsLicenseCA.pem

Re: https authentication

DavidHourani — Mon, 27 May 2019 11:43:17 GMT

these are the defaults right ? Did you try replacing with you own files ?

Re: https authentication

sarit_s — Mon, 27 May 2019 12:05:09 GMT

no.. should i ?
the defaults is not for examples ?

Re: https authentication

DavidHourani — Mon, 27 May 2019 12:12:11 GMT

If you uncommented this then you should be using your own set of keys :

#privKeyPath = /opt/splunk/etc/auth/wildkey.key 
#serverCert = /opt/splunk/etc/auth/wildkey.pem

Re: https authentication

sarit_s — Mon, 27 May 2019 12:14:49 GMT

this is what im trying to do but when im uncommented it splunk web does not start

Re: https authentication

sarit_s — Mon, 27 May 2019 12:24:04 GMT

it is working. it was a problem with the cert file

Re: https authentication

DavidHourani — Mon, 27 May 2019 12:35:09 GMT

haha... that explains the alert_description='certificate unknown'. 😄 good job !

Re: https authentication

sarit_s — Mon, 27 May 2019 18:08:16 GMT

thanks David for all your help !

Re: https authentication

DavidHourani — Mon, 27 May 2019 18:12:09 GMT

most welcome ! Please upvote or accept if it's helpful ! ^^

Re: https authentication

koshyk — Mon, 27 May 2019 18:42:25 GMT

certificate needs to be created by authorised authority , if it has to be valid in a browser. Please have a read on: https://en.wikipedia.org/wiki/Certificate_authority . . Your organisation may already have a team to do this and liase with a Certificate Authority (CA) already