Getting Data In

How to configure Splunk DB Connect 1 to support TLS encryption?

splunkIT
Splunk Employee
Splunk Employee

I am using DBX v1, and would like to take advantage of splunkd using TLS 1.2 (this is in [sslconfig] for server.conf):

## ./etc/system/local/server.conf:
[sslconfig]
sslVersions = tls1.2

But when I do, the jbridge won't start; this is what I found in the jbridge.log:

2015-11-12 10:25:22,786 ERROR Java process returned error code 1! Error: Initializing Splunk context... Environment: SplunkEnvironment{SPLUNK_HOME=/opt/splunk,SPLUNK_DB=/opt/splunk/var/lib/splunk} Configuring Log4j... Exception in thread "main" com.splunk.config.SplunkConfigurationException: IO Error while reading configuration from Splunkd: javax.net.ssl.SSLException: Received fatal alert: protocol_version      at com.splunk.config.rest.RESTAdapter.request(RESTAdapter.java:199)     at com.splunk.config.rest.RESTAdapter.readConfig(RESTAdapter.java:207)  at com.splunk.config.cache.CachedConfigurationAdapter.readConfig(CachedConfigurationAdapter.java:32)    at com.splunk.config.cache.CachedConfigurationAdapter.readStanza(CachedConfigurationAdapter.java:40)    at com.splunk.env.SplunkContext.getConfigStanza(SplunkContext.java:313)         at com.splunk.env.SplunkContext.initialize(SplunkContext.java:128)      at com.splunk.bridge.JavaBridgeServer.main(JavaBridgeServer.java:34) Caused by: javax.net.ssl.SSLException: Received fatal alert: protocol_version      at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)     at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)     at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1979)    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1086)   at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)      at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359)       at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343)       at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)   at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)   at com.splunk.rest.Splunkd.request(Splunkd.java:216)    at com.splunk.rest.Splunkd.request(Splunkd.java:102)    at com.splunk.config.rest.RESTAdapter.request(RESTAdapter.java:197)     ... 6 more
2015-11-12 10:25:22,787 ERROR Command output: None
1 Solution

lagnone_splunk
Splunk Employee
Splunk Employee

Assuming you're using Oracle's JRE/JDK 7, you will find that TLSv1.2 support is not enabled by default.
To add TLS functionality, simply add any combination of this flag into the JVM command line options on the DBX setup page:
-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2

View solution in original post

lagnone_splunk
Splunk Employee
Splunk Employee

Assuming you're using Oracle's JRE/JDK 7, you will find that TLSv1.2 support is not enabled by default.
To add TLS functionality, simply add any combination of this flag into the JVM command line options on the DBX setup page:
-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2

splunkIT
Splunk Employee
Splunk Employee

Thanks @Lagnone. That worked for me. I am on java 7. Curious to know if these params are needed for java 8 as well.

0 Karma

lagnone_splunk
Splunk Employee
Splunk Employee

You should not need these on Java 8

0 Karma

peter_krammer
Communicator

We had the same issue with Oracle Java 1.8.0_66.
But the Solution worked here too.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...