topic Re: Splunk Add On for Encore - pkcs12 issue in All Apps and Add-ons

Splunk Add On for Encore - pkcs12 issue

mjhebert — Tue, 22 Oct 2019 14:41:33 GMT

Installed and configured Cisco Estreamer Encore add on for Splunk (3.5.8) both on the Firepower FMC and on my Splunk heavy forwarder (Splunk v 7.2.7). I can get estreamer-status and estreamer-logs to come into Splunk but not estreamer-data (the most important piece). After I configure eStreamer add on I keep getting the following error : "EncoreException : unable to read password from console." If a look a little deeper I find "Unable to process pkcs12 file".

I have deleted and remade the FMC certificate 6 or 7 times. I have given it a password, and not given it a password. The result is the same. Does anyone have a similar problem or better yet a good solution for this?

Re: Splunk Add On for Encore - pkcs12 issue

douglashurd — Wed, 06 Nov 2019 17:21:47 GMT

You definitely need to give it a password.

Where on the heavy forwarder are you copying the certificate? What directory path?

Re: Splunk Add On for Encore - pkcs12 issue

mjhebert — Wed, 06 Nov 2019 23:35:09 GMT

Path to certificate : [SPLUNK HOME]/etc/apps/TA-eStreamer/bin/encore

File has been renamed to "client.pkcs12"

Currently, the cert has a password, but the error persists.

Thanks for any help you can give.

Re: Splunk Add On for Encore - pkcs12 issue

mjhebert — Wed, 30 Sep 2020 03:01:29 GMT

Digging even further I am seeing the following errors on my heavy forwarder when I attempt to start the splencore process :

139742838814376:error:060A60A3:digital envelope routines:FIPS_CIPHERINIT:diabled for fips:fips_enc.c:142:
139742838814376:error:06074078: digital envelope routines:EVP_PBE_CipherInit:keygen failure:evp_pbe.c:197:
139742838814376:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algo ciperinit error:p12_decr.c:87:

Each time I attempt to start the eStreamer process it tries to process the pkcs file. Then I get the errors I listed above (this issue is detailed in splunk answers : https://answers.splunk.com/answers/667021/splunk-estreamer-encore-client-doesnt-start.html#comment-667366).

Yet the thread doesn't have a definitive answer. It suggests an issue with the server version of Python. I'll keep digging, but if anyone has an answer I'd appreciate any help.

Re: Splunk Add On for Encore - pkcs12 issue

sn00p_d0ge — Mon, 30 Dec 2019 15:07:00 GMT

Hey @mjhebert,
Were you able to get this up and running? I'm experiencing the same issue and have not come across a solution yet.

Re: Splunk Add On for Encore - pkcs12 issue

595147 — Mon, 03 Feb 2020 18:11:20 GMT

I'm running into the same issue. Were you able to resolve this?

Re: Splunk Add On for Encore - pkcs12 issue

595147 — Thu, 06 Feb 2020 21:57:48 GMT

I was able to solve it on my box. We had FIPS enabled which was causing the issue when it tried to create the key pair.

Troubleshooting Steps:
the error "EncoreException : unable to read password from console." is the error that the script throws but it's not the actual error.

The error comes from crypto.py in the estreamer folder. we ran just the select function that throws the error.

run the script in the directory with client.pkcs12 cert

import OpenSSL.crypto

with open( "client.pkcs12", 'rb' ) as pkcs12File:
            data = pkcs12File.read()

        try:
            pkcs12 = OpenSSL.crypto.load_pkcs12( data, password )

This will give you the actual error, which is how we found out FIPS was the issue.

Work Around:
We loaded the app into a test environment (that had no FMC), and copied the client file to it and performed the the set up through the GUI. Once it created the keypairs, we just copied those to our actual instance and the connection was made.

I hope this helps.