Getting Data In

LEA Client don't connect to Check Point OPSEC LEA Server

idiota
Loves-to-Learn Lots

Hello all,

I try to create connection from LEA client to Check Point OPSEC LEA Server,

Connection Details > Certificate > SID Details
Select "I need to get a new certficate"
Lea App Name : SplunkLEA
One-time Password : 123456
Management Server : 192.168.1.10

After click "Next", received "Server error".

I check $SPLUNK_HOME/var/log/splunk/web_service.log , find the error:
2014-08-01 15:28:04,982 ERROR [53db4184f97f51ec320810] :522 - params: {'model': u'{"opsec_host":"192.168.1.10","conn_name":"Splunk","opsec_app_name":"SplunkLEA","opsec_key":"123456"}'}
2014-08-01 15:28:05,325 ERROR [53db4185517f51ec320b10] :522 - params: {'model': u'{"opsec_host":"192.168.1.10","conn_name":"Splunk","opsec_app_name":"SplunkLEA","opsec_key":"123456"}'}

Does anyone meet the problem?

Thanks for your help.

Tao

Tags (2)
0 Karma
1 Solution

Chubbybunny
Splunk Employee
Splunk Employee

I ran into the same problem and found that our Operating System was missing the required PAM shared libraries and GNU C library to execute the 'opsec pull cert' command located in: $SPLUNK_home/etc/apps/Splunk_TA_opseclea_linux22/bin/pull-cert.sh

To resolve the issue, simply install the following packages as mentioned in the following doc:
http://docs.splunk.com/Documentation/OPSEC-LEA/latest/Install/Systemrequirements

View solution in original post

0 Karma

Chubbybunny
Splunk Employee
Splunk Employee

I ran into the same problem and found that our Operating System was missing the required PAM shared libraries and GNU C library to execute the 'opsec pull cert' command located in: $SPLUNK_home/etc/apps/Splunk_TA_opseclea_linux22/bin/pull-cert.sh

To resolve the issue, simply install the following packages as mentioned in the following doc:
http://docs.splunk.com/Documentation/OPSEC-LEA/latest/Install/Systemrequirements

0 Karma

d646800
Explorer

i am facing the same issue even though i have installed the latest glibc and pam. I am quite sure i did it right because when I ran /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/pull-cert.sh, theer was an error . but now all i got is

[splunk@pucu-spf-44 bin]$ /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/pull-cert.sh
unknown parameter ../certs/

CheckPoint 2001. Getting an object's certificate. Works once per certificate.

Usage: opsec_pull_cert -h host -n object-name -p passwd [-o cert_file] [-od dn_file]
-p is the one-time-password given in the SmartDashboard when defining this entity.
-o is for the output certificate file. default is "($OPSECDIR/)opsec.p12".
-od is for the output sic name (one line text file).
A relative path filename will be concatenated to OPSECDIR env variable (if exists).

and in ** opsec.log** still the same
2015-06-25 03:25:04,408 [ERROR] [] params: {'model': u'{"opsec_host":"10.95.3.6","conn_name":"tcxf2-lon_primary","opsec_app_name":"SplunkLea","opsec_key":"$91u^k15"}'}
2015-06-25 03:25:27,508 [ERROR] [] params: {'model': u'{"opsec_host":"10.95.3.6","conn_name":"tcxf2-lon_primary","opsec_app_name":"SplunkLea","opsec_key":"$91u^k15"}'}

0 Karma

idiota
Loves-to-Learn Lots

Thanks, afer install pam.i686 and glibc.i686 , connect to smartcenter is ok.

0 Karma
Get Updates on the Splunk Community!

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...