Solved: Re: Resolving Akamai Siem integration error with S...

RCavazana2023 · ‎01-13-2023

Hello!!

I'm trying to integrate Akamai with Splunk using the APP: https://splunkbase.splunk.com/app/4310 But when trying to configure, I get the error below:

"Encountered the following error while trying to save: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

Java was installed as required:

java -version
openjdk version "1.8.0_352"
OpenJDK Runtime Environment (build 1.8.0_352-b08)
OpenJDK 64-Bit Server VM (build 25.352-b08, mixed mode)

The APP was installed on my Splunk Enterprise(HeavyFowarder), the configuration was based on this document: https://techdocs.akamai.com/siem-integration/docs/siem-splunk-connector I imported the certificate into the Java path: keytool -importcert -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.352.b08-2.el7_9.x86_64/jre/lib/security/cacerts -storepass changeit -file certificate.crt Reference - https://stackoverflow.com/questions/21076179/pkix-path-building-failed-and-unable-to-find-valid-cert... Error in Log:

"01-13-2023 11:39:54.829 -0300 INFO SpecFiles - Found external scheme definition for stanza="TA-Akamai_SIEM://" from spec file="/opt/splunk/etc/apps/TA-Akamai_SIEM/README /inputs.conf.spec" with parameters="hostname, security_configuration_id_s_, client_token, client_secret, access_token, initial_epoch_time, final_epoch_time, limit, log_level, proxy_host, proxy_port"
01-13-2023 11:39:55.241 -0300 INFO ModularInputs - Introspection setup completed for scheme "TA-Akamai_SIEM".
01-13-2023 11:42:07.678 -0300 WARN ModularInputs - Argument validation for scheme=TA-Akamai_SIEM failed: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification target path to requested
01-13-2023 11:42:29.337 -0300 WARN ModularInputs - Argument validation for scheme=TA-Akamai_SIEM failed: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification target path to requested"

I don't use proxy... Does anyone have a light? I'm losing hope of doing this integration! Thanks!

LeandroNTT · ‎02-07-2023

Hello!

I rolled back the SIEM Integration add-on version to 1.4.15 and it worked. You still need to add the akamai certificate to your JRE's cacerts (I'm using 1.9) and see if your Splunk accesses the AKAMAI endpoint URL. Hope this helps!

Add-on url:

Akamai SIEM Integration | Splunkbase

Session Version History

Access the host url using browser (like https://akab-xxxxxx.luna.akamaiapis.nt) and dowload the certificate. Follow the procedure to input the certificate inside cacerts. My example:

keytool --importcert -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.352.b08-2.el8_7.x86_64/jre/lib/security/cacerts -storepass changeit -file /opt/splunk/etc/auth/mycert/root.crt -alias "rhel-root"

Regardless of the JRE version, or cacerts will always be in xxxxx/jre/lib/security/cacerts

View solution in original post

RCavazana2023 · ‎02-23-2023

Hello!

I tested it on version 1.4.15, now it's working normally.

Thank you all for your help.

LeandroNTT · ‎01-26-2023

Did you create and install a valid certificate on your Splunk?

RCavazana2023 · ‎01-26-2023

Hello.

No, I haven't tried that.

Did you test it that way?

LeandroNTT · ‎02-07-2023

Hello!

I rolled back the SIEM Integration add-on version to 1.4.15 and it worked. You still need to add the akamai certificate to your JRE's cacerts (I'm using 1.9) and see if your Splunk accesses the AKAMAI endpoint URL. Hope this helps!

Add-on url:

Akamai SIEM Integration | Splunkbase

Session Version History

Access the host url using browser (like https://akab-xxxxxx.luna.akamaiapis.nt) and dowload the certificate. Follow the procedure to input the certificate inside cacerts. My example:

keytool --importcert -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.352.b08-2.el8_7.x86_64/jre/lib/security/cacerts -storepass changeit -file /opt/splunk/etc/auth/mycert/root.crt -alias "rhel-root"

Regardless of the JRE version, or cacerts will always be in xxxxx/jre/lib/security/cacerts

cybersecnutant · ‎10-17-2023

I just ran into this issue and as an easy alternative you can also add:

disable_splunk_cert_check = true

to every input you have under the stanza. It is mentioned in their guide but for some reason they did not include it in the GUI option like they suggest it is there.

https://techdocs.akamai.com/siem-integration/docs/siem-splunk-connector

Yet another case where companies think software engineers can be SE's and tech writers.

LeandroNTT · ‎01-18-2023

I have the same problem. I tried the same thing as you and I didn't succeed either. I use an HF onpremises and the rest of the environment in Splunk Cloud. I have two customers waiting for integration with Akamai and both have the same problem...

mikefg · ‎02-15-2023

Having same issue.

Splunk 9.0.3
OpenJDK 1.8.0
Akamai app 1.4.17

Tried adding the host url cert to cacerts, restarted splunk, but no change, still fails with error

Encountered the following error while trying to update: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Not sure what to try next. Might try downgrading to 1.4.15 as time allows.

LeandroNTT · ‎02-15-2023

Try to downgrade the add-on. Did you follow the procedure to add the akamai certificate to the JRE cacerts?

mikefg · ‎02-27-2023

Downgraded to 1.4.15 and got it working again. Also tried downgrading to 1.4.16, but it did not work.

mikefg · ‎02-15-2023

Yes, also added the intermediate cert and tried adding the ca cert, but the ca cert was already in the store. Rebooted the search head and tried creating a new data input, but I get the same error.

How to resolve Akamai Siem integration error with Splunk Add-on?

configuration

troubleshooting

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?