All Apps and Add-ons

How to resolve Akamai Siem integration error with Splunk Add-on?

RCavazana2023
Engager

Hello!!

I'm trying to integrate Akamai with Splunk using the APP: https://splunkbase.splunk.com/app/4310 But when trying to configure, I get the error below:

"Encountered the following error while trying to save: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

Java was installed as required:

java -version
openjdk version "1.8.0_352"
OpenJDK Runtime Environment (build 1.8.0_352-b08)
OpenJDK 64-Bit Server VM (build 25.352-b08, mixed mode)

The APP was installed on my Splunk Enterprise(HeavyFowarder), the configuration was based on this document: https://techdocs.akamai.com/siem-integration/docs/siem-splunk-connector I imported the certificate into the Java path: keytool -importcert -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.352.b08-2.el7_9.x86_64/jre/lib/security/cacerts -storepass changeit -file certificate.crt Reference - https://stackoverflow.com/questions/21076179/pkix-path-building-failed-and-unable-to-find-valid-cert... Error in Log:

"01-13-2023 11:39:54.829 -0300 INFO SpecFiles - Found external scheme definition for stanza="TA-Akamai_SIEM://" from spec file="/opt/splunk/etc/apps/TA-Akamai_SIEM/README /inputs.conf.spec" with parameters="hostname, security_configuration_id_s_, client_token, client_secret, access_token, initial_epoch_time, final_epoch_time, limit, log_level, proxy_host, proxy_port"
01-13-2023 11:39:55.241 -0300 INFO ModularInputs - Introspection setup completed for scheme "TA-Akamai_SIEM".
01-13-2023 11:42:07.678 -0300 WARN ModularInputs - Argument validation for scheme=TA-Akamai_SIEM failed: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification target path to requested
01-13-2023 11:42:29.337 -0300 WARN ModularInputs - Argument validation for scheme=TA-Akamai_SIEM failed: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification target path to requested"

I don't use proxy... Does anyone have a light? I'm losing hope of doing this integration! Thanks!

 

Labels (2)
Tags (2)
0 Karma
1 Solution

LeandroNTT
Explorer

Hello!

I rolled back the SIEM Integration add-on version to 1.4.15 and it worked. You still need to add the akamai certificate to your JRE's cacerts (I'm using 1.9) and see if your Splunk accesses the AKAMAI endpoint URL. Hope this helps!

Add-on url:

Akamai SIEM Integration | Splunkbase

Session Version History

Access the host url using browser (like https://akab-xxxxxx.luna.akamaiapis.nt) and dowload the certificate. Follow the procedure to input the certificate inside cacerts. My example:

 keytool --importcert -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.352.b08-2.el8_7.x86_64/jre/lib/security/cacerts -storepass changeit -file /opt/splunk/etc/auth/mycert/root.crt -alias "rhel-root"

Regardless of the JRE version, or cacerts will always be in xxxxx/jre/lib/security/cacerts

View solution in original post

0 Karma

RCavazana2023
Engager
Hello!

I tested it on version 1.4.15, now it's working normally. Thank you all for your help.
0 Karma

LeandroNTT
Explorer

Did you create and install a valid certificate on your Splunk?

0 Karma

RCavazana2023
Engager

Hello.

No, I haven't tried that.


Did you test it that way?

0 Karma

LeandroNTT
Explorer

Hello!

I rolled back the SIEM Integration add-on version to 1.4.15 and it worked. You still need to add the akamai certificate to your JRE's cacerts (I'm using 1.9) and see if your Splunk accesses the AKAMAI endpoint URL. Hope this helps!

Add-on url:

Akamai SIEM Integration | Splunkbase

Session Version History

Access the host url using browser (like https://akab-xxxxxx.luna.akamaiapis.nt) and dowload the certificate. Follow the procedure to input the certificate inside cacerts. My example:

 keytool --importcert -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.352.b08-2.el8_7.x86_64/jre/lib/security/cacerts -storepass changeit -file /opt/splunk/etc/auth/mycert/root.crt -alias "rhel-root"

Regardless of the JRE version, or cacerts will always be in xxxxx/jre/lib/security/cacerts

0 Karma

cybersecnutant
Explorer

I just ran into this issue and as an easy alternative you can also add:

disable_splunk_cert_check = true

to every input you have under the stanza. It is mentioned in their guide but for some reason they did not include it in the GUI option like they suggest it is there.

https://techdocs.akamai.com/siem-integration/docs/siem-splunk-connector

Yet another case where companies think software engineers can be SE's and tech writers.

0 Karma

LeandroNTT
Explorer

I have the same problem. I tried the same thing as you and I didn't succeed either. I use an HF onpremises and the rest of the environment in Splunk Cloud. I have two customers waiting for integration with Akamai and both have the same problem...

0 Karma

mikefg
Communicator

Having same issue.

Splunk 9.0.3
OpenJDK 1.8.0
Akamai app 1.4.17

Tried adding the host url cert to cacerts, restarted splunk, but no change, still fails with error

Encountered the following error while trying to update: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Not sure what to try next. Might try downgrading to 1.4.15 as time allows.

0 Karma

LeandroNTT
Explorer

Try to downgrade the add-on. Did you follow the procedure to add the akamai certificate to the JRE cacerts?

0 Karma

mikefg
Communicator

Downgraded to 1.4.15 and got it working again. Also tried downgrading to 1.4.16, but it did not work.

0 Karma

mikefg
Communicator

Yes, also added the intermediate cert and tried adding the ca cert, but the ca cert was already in the store. Rebooted the search head and tried creating a new data input, but I get the same error.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...