All Apps and Add-ons

Splunk Add On for Encore - pkcs12 issue

New Member

Installed and configured Cisco Estreamer Encore add on for Splunk (3.5.8) both on the Firepower FMC and on my Splunk heavy forwarder (Splunk v 7.2.7). I can get estreamer-status and estreamer-logs to come into Splunk but not estreamer-data (the most important piece). After I configure eStreamer add on I keep getting the following error : "EncoreException : unable to read password from console." If a look a little deeper I find "Unable to process pkcs12 file".

I have deleted and remade the FMC certificate 6 or 7 times. I have given it a password, and not given it a password. The result is the same. Does anyone have a similar problem or better yet a good solution for this?

0 Karma

Explorer

I was able to solve it on my box. We had FIPS enabled which was causing the issue when it tried to create the key pair.

Troubleshooting Steps:
the error "EncoreException : unable to read password from console." is the error that the script throws but it's not the actual error.

The error comes from crypto.py in the estreamer folder. we ran just the select function that throws the error.

run the script in the directory with client.pkcs12 cert

import OpenSSL.crypto

with open( "client.pkcs12", 'rb' ) as pkcs12File:
            data = pkcs12File.read()

        try:
            pkcs12 = OpenSSL.crypto.load_pkcs12( data, password )

This will give you the actual error, which is how we found out FIPS was the issue.

Work Around:
We loaded the app into a test environment (that had no FMC), and copied the client file to it and performed the the set up through the GUI. Once it created the keypairs, we just copied those to our actual instance and the connection was made.

I hope this helps.

0 Karma

New Member

Hey @mjhebert,
Were you able to get this up and running? I'm experiencing the same issue and have not come across a solution yet.

0 Karma

New Member

Digging even further I am seeing the following errors on my heavy forwarder when I attempt to start the splencore process :

139742838814376:error:060A60A3:digital envelope routines:FIPSCIPHERINIT:diabled for fips:fipsenc.c:142:
139742838814376:error:06074078: digital envelope routines:EVPPBECipherInit:keygen failure:evppbe.c:197:
139742838814376:error:23077073:PKCS12 routines:PKCS12
pbecrypt:pkcs12 algo ciperinit error:p12decr.c:87:

Each time I attempt to start the eStreamer process it tries to process the pkcs file. Then I get the errors I listed above (this issue is detailed in splunk answers : https://answers.splunk.com/answers/667021/splunk-estreamer-encore-client-doesnt-start.html#comment-6...).

Yet the thread doesn't have a definitive answer. It suggests an issue with the server version of Python. I'll keep digging, but if anyone has an answer I'd appreciate any help.

0 Karma

Explorer

I'm running into the same issue. Were you able to resolve this?

0 Karma

New Member

Path to certificate : [SPLUNK HOME]/etc/apps/TA-eStreamer/bin/encore

File has been renamed to "client.pkcs12"

Currently, the cert has a password, but the error persists.

Thanks for any help you can give.

0 Karma

Builder

You definitely need to give it a password.

Where on the heavy forwarder are you copying the certificate? What directory path?

0 Karma