Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

sslRootCAPath at server.conf

inventsekar
SplunkTrust
SplunkTrust
‎06-20-2017 06:29 AM

SSL is already complex one, this poor documentation adds the fuel to the fire

https://docs.splunk.com/Documentation/Splunk/6.4.4/Security/ConfigureSplunkforwardingtousesignedcert...
this says, we should update server.conf with sslRootCAPath info, but when splunkd restarts, it says the other way around.

[root@UF /app/JE0/splunkforwarder/etc/twoCerts]#/app/splunkforwarder/bin/splunk restart
Stopping splunkd...
Shutting down. Please wait, as this may take a few minutes.
............ [ OK ]
Stopping splunk helpers...
[ OK ]
Done.

Splunk> All batbelt. No tights.

Checking prerequisites...
Checking mgmt port [8089]: open
Checking conf files for problems...
*Invalid key in stanza [sslConfig] in /app/splunkforwarder/etc/system/local/server.conf, line 19: sslRootCAPath (value: /app/splunkforwarder/etc/twoCerts/cacert.pem). *
Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'
Done
Checking default conf files for edits...
Validating installed files against hashes from '/app/splunkforwarder/splunkforwarder-6.3.4-cae2458f4aef-linux-2.6-x86_64-manifest'
All installed files intact.
Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...
Done
[ OK ]
[root@UF /app/splunkforwarder/etc/twoCerts]#

Reply

splunkreal
Influencer
‎01-04-2022 09:55 AM

Agreed, this is misleading.

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply

satyenshah
Path Finder
‎05-10-2018 02:25 PM

Two pitfalls to watch out for:

2) The 'deprecated' settings don't appear to be really deprecated. Using v7.0.0, I still have to set caCertFile. If I try to set sslRootCAPath I get error "setting ignored under Windows". The Splunk docs for v7.0.0 say caCertFile is deprecated, but in practice it's not.

2) Splunk's SSL handling is intolerant of extra lines in PEM files. For example, if you start with a certificate in PFX and export to PEM, you end up with a lot of 'bag attributes' in the output PEM file. They look like comments in between the actual certificates. You have to manually strip out those lines so that the PEM file only contains lines that are either BEGIN, END, or Base64 encoded.

edit: Splunk appears to have fixed the sslRootCAPath problem in v7.1.2:
2018-06-15
SPL-149190, SPL-141808
(Windows Only) Support sslRootCAPath on Windows

Reply

horsefez
Motivator
‎06-20-2017 07:00 AM

Hi inventsekar,

there is a parameter named caCertPath which is depreciated in recent splunk versions, but served as the sslRootCAPath parameter in past splunk versions.

You seem to use a splunkforwarder with the version 6.3.4. In this version caCertPath should work.

Reply

inventsekar
SplunkTrust
SplunkTrust
‎06-20-2017 05:09 PM

Thanks Pyro_wood,
sslRootCAPath works fine, but on inputs.conf file(not server.conf).

the document should be updated properly. if "SSL" is not updated properly, how a simple user can read this document and deploy SSL ?!?!?! hope splunk guys will check this and update soon.
the wiki.splunk on SSL also got multiple issues.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...