Security

Cert issue with TA-Illumio

New Member

When configuring the Illumio TA it is failing to communicate to my Illumio server and errors about the certificate on the Illumio server. The Illumio product is installed with a valid Thwate certificate but Splunk is complaining about it when trying to configure the TA. Any thoughts as to why Splunk does not see the certificate as valid? I have tried loading the Thwate root cert and intermediate on the Splunk host OS, but it is still not working,
The Splunk setup is 6.6.4, running on Windows Server 2012.

Errors below:

2018-05-10 13:40:52,444 - Illumio_Get_Data - ERROR - Error Trace for failed workload request: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:676)
Traceback (most recent call last):
  File "C:\Program Files\Splunk\etc\apps\TA-Illumio\bin\get_data.py", line 97, in get_workload
    r = requests.get(url +resource.get("orgs", "")+str(rest_help[4])+ resource.get("workload", ""), headers=headers, verify=cert_path)
  File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\requests\api.py", line 55, in get
    return request('get', url, **kwargs)
  File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\requests\api.py", line 44, in request
    return session.request(method=method, url=url, **kwargs)
  File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\requests\sessions.py", line 456, in request
    resp = self.send(prep, **send_kwargs)
  File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\requests\sessions.py", line 559, in send
    r = adapter.send(request, **kwargs)
  File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\requests\adapters.py", line 382, in send
    raise SSLError(e, request=request)
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:676)
2018-05-10 13:40:52,444 - Illumio_MODINPUT - INFO - Completed execution of threads.

Thanks

Tags (1)
0 Karma

Explorer

We finally have this working in our environment on TA-Illumio 2.1.0. It was not working on 2.0.1, so I imagine it may not have earlier either.

We had to use the double backslash in the "Custom (self-signed) certificate path":

C:\\Program Files\\Splunk\\etc\\apps\\TA-Illumio\\pce.crt
0 Karma

New Member

Hi, thanks for the quick response. What syntax is needed for the directory path? I use Windows. C:......\filename.pem or something else?

0 Karma

Explorer

I do not know, but, you can try double back-slash in the Windows path that someone else posted earlier.

C:\PATH\TO\cert.pem

0 Karma

Splunk Employee
Splunk Employee

hi @jforrest1234,

Which user were you trying to ask this question to? There are two answers above from different users...

Thanks.

0 Karma

Explorer

If you use Firefox to access your Illumio server, you should be able to download the root certificate chain directly
a. Click on the padlock in the url bar
b. Examine the "Secure Connection" and then click "More Information"
c. A dialog box pops open (at leat, on Mac OS-X) and there is a "View Certificate" button
d. Click on View Certificate, click on Details. You will see the certificate chain.

Now, highlight the root cert (at the very top), and then click the "Export" button. This will download the entire root certificate chain in PEM format.

Upload this certificate to your Splunk server in a location that is accessible. Provide the full path to this certificate in the Data Input and save the data input.

This should resolve the issue.

0 Karma

SplunkTrust
SplunkTrust

Did you try to upload the Root CA certificate somewhere where Splunk has read permissions and then set this parameter in the input config?

Certificate Path
When a self-signed SSL certificate is used with the PCE, its SSL Certificate needs to be uploaded onto Splunk Server and the full path to directory containing the certificate should be provided here.
0 Karma

New Member

I uploaded the Root CA cert to the Splunk server and believe read permissions were set. On Windows server what permissions do I need to give the file so Splunk can have read access? The Splunk processes run as local System so I assumed local system was the rights the file needed or am I missing something.

Thanks

0 Karma

SplunkTrust
SplunkTrust

Yeah, that is basically local admin, and should be fine, unless you did something really weird.
Did you set the path to those files in the input settings? Maybe on Windows you need to do something strange, like doubling the \s, or replacing \ with / - nothing I can actually point you to, but all of those have happened to me in the past, so it's worth to give them a try.

0 Karma

New Member

was anyone able to resolve this issue?

0 Karma