Deployment Architecture
Highlighted

SA-ldapsearch + TLS in a Search Head Cluster

Path Finder

Hi there,

Does anyone here have succeeded in configuring SA-ldapsearch using TLS on a SHC ?

We have successfully configured it on a Heavy Forwarder part of our architecture but it does not work on a Search Head member of our Search Head Cluster where it does not seem to event load SSL settings.

Here is some details:

SSL Config is the same on both instances :

SH $ splunk cmd btool --app=SA-ldapsearch ssl list
[sslConfig]
caCertFile = /opt/splunk/etc/auth/ca.pem
sslVersions = tls

HF $ splunk cmd btool --app=SA-ldapsearch ssl list
[sslConfig]
caCertFile = /opt/splunk/etc/auth/ca.pem
sslVersions = tls

There is also an sslConfig stanza in another App, also indentical :

[sslConfig]
sslRootCAPath = $SPLUNKHOME/etc/auth/ca.pem
serverCert = $SPLUNK
HOME/etc/auth/splunk-cert.pem
requireClientCert = true
sslVerifyServerCert = true
certCreateScript =
sslVersions = tls1.1, tls1.2
sslVersionsForClient = tls1.1, tls1.2

SA-ldapsearch.log on the HF OK :

2017-09-11 18:56:32,218, Level=DEBUG, Pid=16868, File=searchcommand.py, Line=294, LdapTestConnectionCommand arguments: ['/opt/splunk/etc/apps/SA-ldapsearch/bin/ldaptestconnection.py', 'EXECUTE', 'domain="default"']
2017-09-11 18:56:32,220, Level=DEBUG, Pid=16868, File=search
commandinternals.py, Line=296, LdapTestConnectionCommand: ldaptestconnection domain="default"
2017-09-11 18:56:32,220, Level=DEBUG, Pid=16868, File=ldaptestconnection.py, Line=48, Command = ldaptestconnection domain="default"
2017-09-11 18:56:32,220, Level=DEBUG, Pid=16868, File=configuration.py, Line=47, Command = ldaptestconnection domain="default"
2017-09-11 18:56:32,242, Level=DEBUG, Pid=16868, File=configuration.py, Line=536, Configuration = ldaptestconnection(server=[Server(host='domain.local', port=636, use
ssl=True, allowedreferralhosts=[(u'', True)], tls=Tls(validate=2, version=2, cacertsfile='/opt/splunk/etc/auth/ca.pem'), getinfo=3), Server(host='domain.local', port=636, usessl=True, allowedreferralhosts=[(u'', True)], tls=Tls(validate=2, version=2, cacertsfile='/opt/splunk/etc/auth/ca.pem'), getinfo=3), Server(host='domain.local', port=636, usessl=True, allowedreferralhosts=[(u'*', True)], tls=Tls(validate=2, version=2, cacertsfile='/opt/splunk/etc/auth/ca.pem'), getinfo=3)], credentials=CN=Splunk,OU=Admins,DC=domain,DC=local, alternatedomain=domain.local, basedn=dc=domain,dc=local, decode=True, pagedsize=1000)
2017-09-11 18:56:32,242, Level=DEBUG, Pid=16868, File=ldaptestconnection.py, Line=65, Testing the connection to ldaps://domain.local:636

SA-ldapsearch.log on the SH KO, seems like SSL parameters are not loaded:

2017-09-11 18:54:06,998, Level=DEBUG, Pid=9063, File=searchcommand.py, Line=294, LdapTestConnectionCommand arguments: ['/opt/splunk/etc/apps/SA-ldapsearch/bin/ldaptestconnection.py', 'EXECUTE', 'domain="default"']
2017-09-11 18:54:07,000, Level=DEBUG, Pid=9063, File=search
commandinternals.py, Line=296, LdapTestConnectionCommand: ldaptestconnection domain="default"
2017-09-11 18:54:07,000, Level=DEBUG, Pid=9063, File=ldaptestconnection.py, Line=48, Command = ldaptestconnection domain="default"
2017-09-11 18:54:07,001, Level=DEBUG, Pid=9063, File=configuration.py, Line=47, Command = ldaptestconnection domain="default"
2017-09-11 18:54:07,006, Level=ERROR, Pid=9063, File=search
command.py, Line=346, Traceback (most recent call last):
File "/opt/splunk/etc/apps/SA-ldapsearch/bin/packages/splunklib/searchcommands/searchcommand.py", line 320, in process
self.
execute(operation, reader, writer)
File "/opt/splunk/etc/apps/SA-ldapsearch/bin/packages/splunklib/searchcommands/generatingcommand.py", line 79, in _execute
for record in operation():
File "/opt/splunk/etc/apps/SA-ldapsearch/bin/ldaptestconnection.py", line 49, in generate
configuration = app.Configuration(self)
File "/opt/splunk/etc/apps/SA-ldapsearch/bin/packages/app/configuration.py", line 52, in _
init__
self.readconfiguration()
File "/opt/splunk/etc/apps/SA-ldapsearch/bin/packages/app/configuration.py", line 432, in readconfiguration
settings = self.readdefaultconfiguration()
File "/opt/splunk/etc/apps/SA-ldapsearch/bin/packages/app/configuration.py", line 457, in _read
defaultconfiguration
response = service.get('properties/ldap/default', namespace.owner, namespace.app, namespace.sharing)
File "/opt/splunk/etc/apps/SA-ldapsearch/bin/packages/splunklib/binding.py", line 241, in wrapper
return request
fun(self, args, *kwargs)
File "/opt/splunk/etc/apps/SA-ldapsearch/bin/packages/splunklib/binding.py", line 62, in newf
val = f(args, *kwargs)
File "/opt/splunk/etc/apps/SA-ldapsearch/bin/packages/splunklib/binding.py", line 586, in get
response = self.http.get(path, self.
authheaders, *query)
File "/opt/splunk/etc/apps/SA-ldapsearch/bin/packages/splunklib/binding.py", line 1056, in get
return self.request(url, { 'method': "GET", 'headers': headers })
File "/opt/splunk/etc/apps/SA-ldapsearch/bin/packages/splunklib/binding.py", line 1108, in request
response = self.handler(url, message, *
kwargs)
File "/opt/splunk/etc/apps/SA-ldapsearch/bin/packages/splunklib/binding.py", line 1226, in request
connection.request(method, path, body, head)
File "/opt/splunk/lib/python2.7/httplib.py", line 1057, in request
self.
sendrequest(method, url, body, headers)
File "/opt/splunk/lib/python2.7/httplib.py", line 1097, in _send
request
self.endheaders(body)
File "/opt/splunk/lib/python2.7/httplib.py", line 1053, in endheaders
self.sendoutput(messagebody)
File "/opt/splunk/lib/python2.7/httplib.py", line 897, in _send
output
self.send(msg)
File "/opt/splunk/lib/python2.7/httplib.py", line 859, in send
self.connect()
File "/opt/splunk/lib/python2.7/httplib.py", line 1278, in connect
serverhostname=serverhostname)
File "/opt/splunk/lib/python2.7/ssl.py", line 352, in wrapsocket
_context=self)
File "/opt/splunk/lib/python2.7/ssl.py", line 579, in _
init__
self.dohandshake()
File "/opt/splunk/lib/python2.7/ssl.py", line 808, in do
handshake
self.sslobj.dohandshake()
SSLError: [SSL: SSLV3ALERTHANDSHAKEFAILURE] sslv3 alert handshake failure (ssl.c:603)

Thanks in advance for any feedback!

0 Karma
Highlighted

Re: SA-ldapsearch + TLS in a Search Head Cluster

Super Champion

have you tried without ssl if it works on SHC?
Also, you mentioned about another app with sslConfig stanza. Can you please run a btool without the app=SA-ldapsearch? just to check if the other app is overriding the ldapsearch app

0 Karma
Highlighted

Re: SA-ldapsearch + TLS in a Search Head Cluster

Path Finder

Hi Koshyk,

Thanks for your help!

Indeed there is another App, but I meant to say that this App was deployed on both SH & HF. I might have been unclear.

If I run "splunk cmd btool ssl list", there is nothing interesting since ssl.conf is only used by ldapsearch while other apps use server.conf.

With "splunk cmd btool server list sslConfig --debug", there is one unique difference I did not spot earlier.

The SH checks for sslCommonNames while the HF does not:

sslCommonNameToCheck = splunk-searchhead,splunk-forwarder,splunk-indexer...

I did try to configure ldapsearch's ssl.conf with requireClientCert set to false and even with an empty sslCommonNameToCheck.

I did not try to put LDAP DC CommonName yet.

But I already went through sslCommonNameToCheck errors and I believe the generated error is pretty explicit in such case.

Might worth trying.

0 Karma
Highlighted

Re: SA-ldapsearch + TLS in a Search Head Cluster

Super Champion

I'm not a fan of SA-ldapsearch app as it is anyway too slow. I hope your LDAP is internal to the company?
What I would to make things moving is:
- Phase1 => Implement basic setup without certificates etc. See it working in a cluster properly. Let it work for a month 🙂
- Phase2 => Then try different settings which might break things.

0 Karma
Highlighted

Re: SA-ldapsearch + TLS in a Search Head Cluster

Contributor

Hi @support0,

I found this doc and think that can help you to do a checklist in your configuration files: https://conf.splunk.com/session/2015/conf2015_DWaddle_DefensePointSecurity_deploying_SplunkSSLBestPr...

In the page 14 he explain how to configurate the SH and in the page 24 the explanation to configurate UF (that can be used to HF).

In other document is explained how use security in Splunk: http://docs.splunk.com/Documentation/Splunk/latest/Security/AboutsecuringyourSplunkconfigurationwith...

I hope help you.

[ ]s
Rafael Martins

0 Karma
Highlighted

Re: SA-ldapsearch + TLS in a Search Head Cluster

Path Finder

Hi Rafael,

Yes, Duane Waddle .conf are always consistent and were really helpful!

But in our case LDAP auth. is OK on the platform, what is not is ldapsearch and only on a SH part of the SHC.

0 Karma
Highlighted

Re: SA-ldapsearch + TLS in a Search Head Cluster

Hi support0,

I currently have SA-ldapsearch 2.1.4 and TLS working in a SHC environment.

Try something like the below, and if it works for you, you can then harden it further.

This is in the SA-ldapsearch/local/ssl.conf file.

[sslConfig]
sslVerifyServerCert = false
sslRootCAPath = $SPLUNK_HOME/etc/auth/ca.pem
caCertFile = ca.pem
sslVersions = tls

Thanks,
Matt

0 Karma
Highlighted

Re: SA-ldapsearch + TLS in a Search Head Cluster

Path Finder

Hi Matt,

Thanks for your feedback.

We tried to play with sslVerifyServerCert & require Cert wihtout luck so far.

Quick question, you have mentioned SHC, do you execute ldad searches locally by setting :

[ldapsearch]
local = true

etc

or NOT ?

If not, I guess ldapsearch add-on is deployed on your Indexers as well, right ?

Thanks in advance,

0 Karma