All Apps and Add-ons

REST API errors with AMQP Messaging Modular Input add-on

arthurbreuer
Path Finder

I am using the AMPQ add-on on a RabbitMQ queue. Splunk version is 6.1.

When the add-on starts the next two errors appear in the splunkd.log:

01-29-2015 18:16:51.995 +0100 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/amqp_ta/bin/amqp.py" Can't connect to Splunk REST API with the token [Splunk XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX], either the token is invalid or SplunkD has exited : No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

01-29-2015 18:17:01.997 +0100 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/amqp_ta/bin/amqp.py" It has been determined via the REST API that all inputs have been disabled

The data from the queue is added to the index in Splunk. As far as I can see all REST API functions are working fine.

Do you have any idea what the problem is?

0 Karma
1 Solution

arthurbreuer
Path Finder

Hi Damien,

Good news this time! The problem is that SSLv3 is disabled in Java by default. The same problem is mentioned in http://answers.splunk.com/answers/209379/no-appropriate-protocol-protocol-is-disabled-or-ci.html

The only thing you have to do is to enable SSLv3 (if this is possible off course). Just add a comment ('#') in front of the last line of the file "java.security". You can find this file in the directory:

  • OpenJDK : /usr/lib/jvm-java--openjdk-.x86_64/jre/lib/security
  • Oracle SDK : /usr/java/jdk/jre/lib/security

If you agree that this is the solution, maybe you can make a note in your documentation?

And again, thank you for your help.

View solution in original post

0 Karma

Damien_Dallimor
Ultra Champion

Update : try the version here : http://damiendallimore.github.io/ (before I release it and screw up Splunkbase again 🙂 )

I weeded out the TLS bug / SDK incompatibilitys issues

0 Karma

Damien_Dallimor
Ultra Champion

The latest release has TLSv1.2 support wired in. View the release notes for the latest release for how to enable TLS.

0 Karma

pkhalsa
New Member

Hi Damien, I'm kind of new to Splunk and when you write in the release notes:

"To do so you specify "splunk.securetransport.protocol=tls" in the Additional JVM System Properties parameter when you configure the stanza."

I'm not sure to which stanza you are referring, or where to find it. Could you give some more guidance?
Thanks.

0 Karma

Damien_Dallimor
Ultra Champion

Disregard , I rolled back the newest release , found a bug.

0 Karma

pkhalsa
New Member

Wow, thanks for the quick response. I'm getting the same error as Arthur, but for some reason, I'm not able to edit java.security in a way that allows SSLv3, i.e. I keep getting the same error.

0 Karma

Damien_Dallimor
Ultra Champion

unless you can enable SSLv3 , I can't do much right now.

0 Karma

pkhalsa
New Member

I managed to enable SSLv3 by updating Java and doing the same thing I did before, but this time it worked.
I hope you don't mind a follow on question. Since I'm still a newbie, I wanted to ask you about the following error, which I'm now receiving:
"Can't connect to Splunk REST API with the token..."
SplunkD hasn't exited, so I'm wondering why it would get an invalid token?
Thanks.

0 Karma

arthurbreuer
Path Finder

Hi Damien,

Good news this time! The problem is that SSLv3 is disabled in Java by default. The same problem is mentioned in http://answers.splunk.com/answers/209379/no-appropriate-protocol-protocol-is-disabled-or-ci.html

The only thing you have to do is to enable SSLv3 (if this is possible off course). Just add a comment ('#') in front of the last line of the file "java.security". You can find this file in the directory:

  • OpenJDK : /usr/lib/jvm-java--openjdk-.x86_64/jre/lib/security
  • Oracle SDK : /usr/java/jdk/jre/lib/security

If you agree that this is the solution, maybe you can make a note in your documentation?

And again, thank you for your help.

0 Karma

pkhalsa
New Member

Arthur, after reading this thread last week, I realized that I needed to comment out the option in java.security. However, when I went to that file, I realized it was already commented out. Yet I still get the error that SSLv3 is disabled by Java and I can't figure out where else it could possibly disabled. I thought perhaps it was somehow disabled within one of the jar files of the app, but I guess Damien would have mentioned that. Do you know of any other place where Java might disable SSLv3?
Thanks for any help.

0 Karma

arthurbreuer
Path Finder

Hi Pkhalsa,

You are right. The last line has to be commented out, so it should look like this: #jdk.tls.disabledAlgorithms=SSLv3.

Is it possible that you have more that one java installed?

0 Karma

pkhalsa
New Member

That line looked different in my java.security file and it was already commented out. I resolved this issue in a kind of brute force manner, in that I installed the latest java and commented out the line in the latest java. Now I'm getting a different error 😛

0 Karma

Damien_Dallimor
Ultra Champion

Those are valid messages. The AMQP Modular Input process self manages it's own lifecycle ie: regularly checks if SplunkD has exited , and if so, kills itself.

0 Karma

arthurbreuer
Path Finder

Hi Damien,

Thank you for your reply. The problem is that splunkd is still active. When I only restart the add-on the one item from the queue is added to Splunk and the same errors appear again.

Regards,

Arthur

0 Karma

Damien_Dallimor
Ultra Champion

Does your OS correctly resolve "localhost" to the IP that SplunkD is bound to ?
Also , what version of Splunk are you on and what Java Runtime version are you using ?

0 Karma

arthurbreuer
Path Finder

Hi Damien,

The server is part of a domain. Localhost is resolved correctly. Ping, traceroute, wget, everything works.

When I link localhost to a non existing IP, the following error appears:
02-02-2015 15:21:15.716 +0100 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/amqp_ta/bin/amqp.py" Probing socket connection to SplunkD failed.Either SplunkD has exited ,or if not, check that your DNS configuration is resolving your system's hostname (xxxx.xxxx) correctly : Connection refused

And later, the two errors appear again:
02-02-2015 15:21:17.313 +0100 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/amqp_ta/bin/amqp.py" Can't connect to Splunk REST API with the token [Splunk XXXXXXXXXXXXXXXX], either the token is invalid or SplunkD has exited : Connection refused
02-02-2015 15:21:27.314 +0100 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/amqp_ta/bin/amqp.py" It has been determined via the REST API that all inputs have been disabled

Our server virtualized and is running on Splunk version 6.1. I also tested it on Splunk version 6.2.1 on a testserver. As for Java, I tried it on Java openjdk 1.7.0_75 and Java SE 1.8.0_31 (Oracle).

0 Karma

arthurbreuer
Path Finder

Any ideas Damien?

0 Karma

Damien_Dallimor
Ultra Champion

The Splunk Java SDK code that is being used to perform the Splunk callbacks that are leading to the error message you posted is attempted to use SSLv3. Can you enable this in your setup ?

http://docs.splunk.com/Documentation/Splunk/6.2.1/Admin/Serverconf (look at the sslConfig stanza)

0 Karma

arthurbreuer
Path Finder

It looks like SSLv3 is enabled. But still the errors appear.

server.conf

[sslConfig]
enableSplunkdSSL = true
useClientSSLCompression = true
useSplunkdClientSSLCompression = true

supportSSLV3Only = true
sendStrictTransportSecurityHeader = true
allowSslCompression = true
allowSslRenegotiation = true

cipherSuite = ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

sslKeysfile = server.pem
sslKeysfilePassword = XXXXXXXXXXXXXXXXXXXXXX
caCertFile = cacert.pem
caPath = $SPLUNK_HOME/etc/auth
certCreateScript = $SPLUNK_HOME/bin/splunk, createssl, server-cert

web.conf

[default]

[settings]

startwebserver = 1
httpport = 443
enableSplunkWebSSL = true
supportSSLV3Only = true

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...