I am attempting to configure SA-ldapsearch on our Splunk 6.3.1 cluster with search head cluster.
I have installed SA-Ldapsearch on the deployer and pushed the bundle, no issue there. I am logging into a particular search head with the intention to configure the domain connections (and eventually copy the config back to the deployer) but attempting to configure the first domain, clicking "Test Connection" it errors with:
Connection test for default failed Search | ldaptestconnection domain="default" Result distinguishedName: DC=acme,DC=com Error SSLError at "/opt/splunk/lib/python2.7/ssl.py", line 788 : [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:595)"
Testing from our test environment to the same Domain Controller works. So I'm thinking something in our production environment is different. Debugging via
./splunk cmd btool server list --debug
doesn't show anything too different outside of the clustering config etc.
egrep -i 'security|ssl|cipher|cert|key' /tmp/debug.txt /opt/splunk/etc/system/default/server.conf caCertFile = $SPLUNK_HOME/etc/auth/appsCA.pem /opt/splunk/etc/system/default/server.conf cipherSuite = TLSv1+HIGH:@STRENGTH /opt/splunk/etc/system/default/server.conf sslCommonNameList = apps.splunk.com /opt/splunk/etc/system/local/server.conf pass4SymmKey = $1$<>= /opt/splunk/etc/system/local/server.conf pass4SymmKey = $1<> /opt/splunk/etc/system/default/server.conf encrypt_fields = "server:sslConfig:sslKeysfilePassword", "server:shclustering:pass4SymmKey", "outputs:tcpout:sslPassword", "inputs:SSL:password", "alert_actions:email:auth_password", "server:shclustering:password", "server:clustering:password", "server:clustering:pass4SymmKey", "server:general:pass4SymmKey", "app:credential:password", "passwords:credential:password", "server:deployment:pass4SymmKey", "authentication: :bindDNpassword", "server:kvstore:sslKeysPassword" /opt/splunk/etc/system/local/server.conf pass4SymmKey = $1$<.>= /opt/splunk/etc/system/local/server.conf [sslConfig] /opt/splunk/etc/system/default/server.conf allowSslCompression = true /opt/splunk/etc/system/default/server.conf allowSslRenegotiation = true /opt/splunk/etc/system/local/server.conf caCertFile = ca/RCA-mvmica002.cer /opt/splunk/etc/system/default/server.conf certCreateScript = $SPLUNK_HOME/bin/splunk, createssl, server-cert /opt/splunk/etc/system/default/server.conf cipherSuite = TLSv1+HIGH:@STRENGTH /opt/splunk/etc/system/default/server.conf enableSplunkdSSL = true /opt/splunk/etc/system/local/server.conf requireClientCert = false # The Splunk for Windows Infrastructure App breaks if this is enabled /opt/splunk/etc/system/local/server.conf sendStrictTransportSecurityHeader = true /opt/splunk/etc/system/local/server.conf sslKeysfile = certs/lvmsplunk011.acme.com.pem /opt/splunk/etc/system/local/server.conf sslKeysfilePassword = $1$Yg== /opt/splunk/etc/system/default/server.conf sslVersions = *,-ssl2 /opt/splunk/etc/system/local/server.conf supportSSLV3Only = true /opt/splunk/etc/system/default/server.conf useClientSSLCompression = true /opt/splunk/etc/system/default/server.conf useSplunkdClientSSLCompression = true
Any suggestions on where to troubleshoot will be appreciated.