Getting Data In

How to set up my Splunk REST API with self-signed certificates and how to configure for the REST API 8089 port?

timoti
Explorer

Hello, after 2 days of trying hard on this problem, I finally give up and now I am posting it here.

Well, I need to set up my Splunk REST API with my own self-signed certificates. I've already configured the usage of my own self-signed certificates for SplunkWeb, but I'm stuck on the configuration for the REST API 8089 Port.
Here's the problem :
I've already generated my own server certificates thanks to the Splunk docs :
alt text

located in /Application/Splunk/etc/auth/myNewCerts

Here's my configuration file server.conf in /Applications/Splunk/etc/system/local
alt text

When I run commands to verify the matches between my certs and my keys, they match and when I start Splunk everything looks ok.

But when I check the log file at /Applications/Splunk/var/log/splunk/splunkd.log :

$ tail -f splunkd.log | grep ERR

04-25-2018 16:42:50.272 +0200 ERROR ExecProcessor - message from "python /Applications/Splunk/etc/apps/splunk_instrumentation/bin/on_splunk_start.py" ERROR:InstrumentationInit:[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:676)

04-25-2018 16:42:52.779 +0200 ERROR ExecProcessor - message from "python /Applications/Splunk/etc/apps/splunk_monitoring_console/bin/dmc_config.py" Socket error communicating with splunkd (error=[X509: KEY_VALUES_MISMATCH] key values mismatch (_ssl.c:2768)), path = /services/shcluster/config?output_mode=json


openssl version : OpenSSL 1.0.2o  27 Mar 2018
OS version : macOS Sierra Version 10.12.6 (16G29)
Python version : Python 2.7.14

Sorry for my bad English, waiting for help.

0 Karma

marcolesh
Path Finder

Hi. Why would you try to add a self signed cert... when splunkd already has its own self signed cert....
What are you trying to acces in the splunkd?

If splunkweb is working, splunkd (RestApi) is already working.

I suggest you to see rest Api uri qick-reference.

http://docs.splunk.com/Documentation/Splunk/7.1.3/RESTREF/RESTlist

If you want to acces from browser you need to acces a rest endpoint with rest method available, and tell to the browser to go ahead when promted the self signed cert warning

here an example:

https://localhost:8089/services/authentication/current-context

NOTE the https part since there is not an automatic redirec

In order to avoid the request of a valid certificate... in every computer get rid of the self-signed cert and get a trusted SSL certificate, you can create your free trusted cert with Let's Encrypt
https://www.splunk.com/blog/2016/08/12/secure-splunk-web-in-five-minutes-using-lets-encrypt.html
Link Above is How-to to secure splunkWeb.... I don´t now how to add it to splunkd... I would like to know ... that's why I got here...

0 Karma

timoti
Explorer

up please im still stuck

0 Karma

timoti
Explorer

Up :
When i set the option "requireClientCert = false" instead of true, i can connect myself on the 8089 interface (https://localhost:8089) with my own certificate added on my computer. Then when i try to connect to "https://[myip]:8089" with another computer on the same local network, it request a valid certificate that the computer hasnt, so it cant connect
. But the splunkweb interface is still accesible via "https://[myi p]:8000" from any other computer.
I dont know how its works ??

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...