Getting Data In

OPSEC LEA with CheckPoint: SIC ERROR 119 - SIC Error for ssl_opsec: Client could not choose an authentication method for service ssl_opsec

Engager

We Installed OPSEC LEA on RedHat to connect to CheckPoint 75.40. The app is enabled and connected. CheckPoint shows that trust is established, but Splunk shows "waiting for data" instead of showing it as a datasource.

When running lea-loggrabber.sh (with crednetial) in debug 3 mode, I saw the following errors:
DEBUG: OPSECSESSIONENDHANDLER called
ERROR: SIC ERROR 119 - SIC Error for ssl
opsec: Client could not choose an authentication method for service ssl_opsec

When manually running lealoggrabber (with the SPLUNKHOME variable set), after I log in, I see:

splunkd request failed, 404:
$PLUNKHOME/bin/splunk _internal call /servicesNS/nobody/splunkopseclea/opsec/logstatus/1@
QUERYING: 'https://127.0.0.1:8089/servicesNS/nobody/splunk
opseclea/opsec/logstatus/1@"
FAILED: 'HTTP/1.1 404 Not Found'
In handler 'log
status': Could not find object id=1@

The splunkd.log shows the following:
ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity CheckPoint"

The opsec-entity-health.conf file shows is_connected = 0, so I assume that something is wrong with the connection.

Anyone know how to solve the problem?

Tags (2)
1 Solution

Explorer

ssl_opsec is no longer officially supported in the 2.0 version of the app:
link text

View solution in original post

Path Finder

Would like to thank Splunk Support for this. But we weren't using ssl_opsec but sslca. The problem was that our CP admin hadn't given the proper Entity SIC name. I'd used the same as the SIC name since that was the only one our CP guy was aware of. The Entity SIC Name needed to be changed to CN=cp_mgmt,O=yourcphost.domain.com.oschxt
(where O=yourcohost.domain.com.oschxt was the same as in the plain SIC name.)

There's no way of pulling this info from the CP gui I'm told.

Splunk Employee
Splunk Employee

This was my issue as well. For reference, though, you can pull this from your management server by opening it up in the Check Point UI and opening up the SIC status.

0 Karma

Explorer

You can change authentication type on opsec.conf file.
My problem was that Checkpoint was listening on wrong port, that why I had problems to communicate the service.

0 Karma

Champion

so, does it support sslopsecauth? The doc specifically says that it isn't supported.

0 Karma

Explorer

I have similar problem, but with error "Client could not choose an authentication method for service lea"
I'v tried everything that I found in splunkbase and internet.
Does some one has any ideas?
this is fragment from the debug log:

Could not find info for ...opsec_sic _policy_file...
Could not find info for ...opsec_mt. ..
opsec_init: multithread safety is no t initialized
cpprng_opsec_initialize: dev_urandom_poll returned 0
opsec_file_is_intialized: seed is initialized
cpprng_opsec_initialize: seed init for opsec succeeded
PM_policy_create: version 5301.
PM_policy_add_name_to_group: finished successfully.
PM_policy_set_local_names: () names. finished successfully.
PM_policy_create: finished successfully.
PM_policy_add_name_to_group: finished successfully.
PM_policy_set_local_names: (local_sic_name) names. finished successfully.
PM_policy_add_name_to_group: finished successfully.
PM_policy_set_local_names: (127.0.0.1) names. finished successfully.
PM_policy_add_name_to_group: finished successfully.
PM_policy_set_local_names: ("CN=SplunkLEA,O=XXXXXX..xxxxxx") names. finished successfully.
PM_apply_default_dn: ca_dn = [O=XXXXXX..xxxxxx].
PM_apply_default_dn: calling PM_policy_DN_conversion ..
PM_apply_default_dn: finished successfully.
ckpSSLctx_New: prefs = 12
ckpSSLctx_New: prefs = 12
ckpSSLctx_New: prefs = 32
ckpSSLctx_New: prefs = 11
ckpSSLctx_New: prefs = 31
ckpSSLctx_New: prefs = 12
sslcaInitCP_Ex: using asym client without ca cert
ckpSSLctx_New: prefs = 12
ckpSSLctx_New: prefs = 12
slcaInitCP_Ex: using asym client without ca cert
ckpSSLctx_New: prefs = 32
ckpSSLctx_New: prefs = 32
sslcaInitCP_Ex: using asym client without ca cert
ckpSSLctx_New: prefs = 11
ckpSSLctx_New: prefs = 11
sslcaInitCP_Ex: using asym client without ca cert
ckpSSLctx_New: prefs = 31
ckpSSLctx_New: prefs = 31
opsec_init_sic_id_internal: Added sic id (ctx id = 0)
splunk internal call command: $SPLUNK_HOME/bin/splunk _internal call /servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/log_status/1@
splunk output: QUERYING: 'https://127.0.0.1:8089/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/log_status/1@'
FAILED: 'HTTP/1.1 404 Not Found'
Content:
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">In handler 'log_status': Could not find object id=1@</msg>
  </messages>
</response>


splunkd request failed, 404:
        $SPLUNK_HOME/bin/splunk _internal call /servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/log_status/1@
        QUERYING: 'https://127.0.0.1:8089/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/log_status/1@'
FAILED: 'HTTP/1.1 404 Not Found'
Content:
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">In handler 'log_status': Could not find object id=1@</msg>
  </messages>
</response>


DEBUG: Starting  fw.log 1 at offset -1
DEBUG: OPSEC LEA conf file is lea.conf
DEBUG: Authentication mode has been used.
DEBUG: Server-IP     : 192.168.10.1
DEBUG: Server-Port     : 18184
DEBUG: Authentication type: sslca
DEBUG: OPSEC sic certificate file name : ../certs/SplunkLEA.p12
DEBUG: Server DN (sic name) : CN=SplunkLEA,O=XXXXXX..xxxxxx
DEBUG: OPSEC LEA client DN (sic name) : CN=SplunkLEA,O=XXXXXX..xxxxxx
opsec_init_entity_sic: called for the client side
Configuring entity lea_server
Could not find info for ...conn_buf_size...
Could not find info for ...no_nagle...
Could not find info for ...port...
opsec_entity_add_sic_rule: adding rules: apply_to: ME, peer: CN=SplunkLEA,O=XXXXXX..xxxxxx, d_ip: NULL, dport 18184, svc: lea, method: sslca
opsec_entity_add_sic_rule: adding INBOUND rule
opsec_entity_add_sic_rule: adding OUTBOUND rule
DEBUG: Starting at position: -1
opsec_get_comm: creating comm for ent=96c5a70  peer=96c5578 passive=0 key=2 info=0
c=0x96c5a70 s=0x96c5578 comm_type=4

Could not find info for ...opsec_client...
opsec_get_comm: Creating session hash (size=256)
opsec_get_comm: ADDING comm=0x96d0368 to ent=0x96c5a70 with key=2
opsec_env_get_context_id_by_peer_sic_name: found context id=0 for peer sic name=CN=SplunkLEA,O=XXXXXX..xxxxxx
opsec_env_get_sic_handle_by_context_id: found sic handle (ctx id=0)
opsec_sic_connect: connecting... (ctx id=0)
peers addresses are
192.168.10.18
DEBUG: function read_fw1_logfile_start
DEBUG: OPSEC session start handler was invoked
SESSION ID:3 is sending DG_TYPE=1

pushing dgtype=1 len=0 to list=0x96d0384
SESSION ID:3 is sending DG_TYPE=402

pushing dgtype=402 len=20 to list=0x96d0384
SESSION ID:3 is sending DG_TYPE=40c

pushing dgtype=40c len=0 to list=0x96d0384
fwasync_conn_params: <c0a80a12,40631> -> <c0a80a01,18184>
fwasync_connbuf_realloc: reallocating 0 from 0 to 1028
fwasync_connbuf_realloc: reallocating 0 from 0 to 1028
sic_client_set_version: 10: protocol version is 59000000
PM_session_init: given session O(CN=SplunkLEA,O=XXXXXX..xxxxxx;local_sic_name;18184;lea).
PM_policy_query: input session O(CN=SplunkLEA,O=XXXXXX..xxxxxx;local_sic_name;18184;lea).
PM_policy_query: rule not found.
PM_policy_query: finished successfully. 1st method = deny
PM_policy_choose: finished successfully. choose: DENY.
policy_choose: choose failed.
sic_client_negotiate_auth_method: policy choose failed.
fwasync_mux_in: 10: handler returned with error
sic_client_end_handler: for conn id = 10
opsec_auth_client_connected: connect failed (119)
opsec_auth_client_connected: SIC Error for lea: Client could not choose an authentication method for service lea
opsec_auth_client_connected:conn=(nil) opaque=0x96dbb00 err=0 comm=0x96d0368
comm failed to connect 0x96d0368
OPSEC_SET_ERRNO: err =  8  Comm is not connected/Unable to connect (pre =  8)
COM 0x96d0368 got signal 131075
destroying comm 0x96d0368
Destroying comm 0x96d0368 with 1 active sessions
Destroying session (96db450) id 3 (ent=96c5a70) reason=SIC_FAILURE
SESSION ID:3 is sending DG_TYPE=3

DEBUG: OPSEC_SESSION_END_HANDLER called
ERROR: SIC ERROR 119 - SIC Error for lea: Client could not choose an authentication method for service lea
opsec_comm_is_needed:comm 0x96d0368 1/1 sessions need the comm.
pulling dgtype=1 len=0 to list=0x96d0384
pulling dgtype=402 len=20 to list=0x96d0384
pulling dgtype=40c len=0 to list=0x96d0384
pulling dgtype=ffffffff len=-1 to list=0x96d0384
REMOVING comm=0x96d0368 from ent=0x96c5a70 with key=2
T_event_mainloop_e: T_event_mainloop_iter returns 0
DEBUG: function cleanup_fw1_environment
Destroying entity 1 with 0 active comms
opsec_destroy_entity_sic: deleting sic rules for entity 0x96c5a70
Destroying entity 2 with 0 active comms
opsec_destroy_entity_sic: deleting sic rules for entity 0x96c5578
IpcUnMapFile: unmapping file (handle=0x96ca890)
IpcUnMapFile: unmapping file (handle=0x96c98d8)
IpcUnMapFile: unmapping file (handle=0x96c9948)
IpcUnMapFile: unmapping file (handle=0x96da690)
IpcUnMapFile: unmapping file (handle=0x96da700)
PM_policy_destroy: finished successfully.
opsec_destroy_sic_id_internal: Destroyed sic id (ctx id=0)
opsec_env_destroy_sic_id_hash: Destroyed sic id hash
fwd_env_destroy: env 0x96a93b0 (alloced = 1)
T_env_destroy: env 0x96a93b0
do_fwd_env_destroy:  really destroy 0x96a93b0
DEBUG: function close_screen
DEBUG: Close connection to screen.
DEBUG: function exit_loggrabber
DEBUG: function free_lfield_arrays
DEBUG: function free_afield_arrays
DEBUG: function free_lfield_arrays
DEBUG: function free_afield_arrays
0 Karma

Hi,

I encountered the same problem, I didn't have the previous version of the App and my SmartCenter is fresh installed.

I lost many hours to debug Splunk and I finally try something on the SmartCenter.

I edited the file $FWDIR/conf/fwopsec.conf and added these 2 lines:

lea_server  auth_port   18184
lea_server  auth_type   sslca

Run cpstop and cpstart and now everything works fine, logs are in Splunk 🙂

The documentation said "Confirm that the fwopsec.conf file has no entries related to lea_server." but it does not work if all lines are commented.

Hope this could help you,
Christophe

Splunk Employee
Splunk Employee

This fix worked for me also. There was a legacy fwopsec.conf entry specifying ssl_opsec as the auth type. Changing this and restarting fixed the error message "Client could not choose an authentication method for service lea" and we now have logs streaming into Splunk.

0 Karma

Explorer

ssl_opsec is no longer officially supported in the 2.0 version of the app:
link text

View solution in original post

Champion

Why no supported for ssl_opsec auth?

0 Karma