Archive2

Any drawbacks to enabling FIPS on Splunk 7.3 or 8.0?

satyenshah
Path Finder

I'm generally wondering whether anyone has run into real blocks with Splunk 7.3.x or 8.0 caused by FIPS.

We support some Splunk instances with FIPS enabled. The only issues we've run into is with certificates and with kvstore. With certificates, FIPS becomes a problem if you don't add the passphrase to splunkd's private key using the right algorithm. That can be totally avoided by not-adding a passphrase to the private key in the first place (it turns out, that step is completely optional). The kvstore has fussiness with certificates in general, because kvstore bundles its own openssl, and on top of it the mongo driver itself appears to contain some bug-prone SSL routines (for example EC certs break kvstore on Splunk versions through 8.0.1).

When we first enabled FIPS, we expected DB Connect to not-work, but it ended up to working fine. It can store SQL credentials and connect and query to MSSQL and Oracle without issue.

So I'm wondering, has anyone with FIPS enabled Splunk Enterprise (or Enterprise Security) run into still-unsolvable problem with it?

Tags (2)
0 Karma
Reply
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!