Security

FIPS/SSL Incompatibility?

mjdiamore
Engager

Attempting to install local/self-signed certs (Splunk Indexer houses Root CA with a cert distributed to all forwarders), and receiving the following error, ostensibly FIPS-related:

ERROR SSLCommon - Can't read key file /opt/splunkforwarder/etc/auth/mycerts/forwarderchain.pem errno=101351587 error:060A80A3:digital envelope routines:FIPS_DIGESTINIT:disabled for fips.

This is on a Splunk Forwarder with FIPS enabled (all installations will be on Linux FIPS-kernel systems), using Splunk's inboard OpenSSL (1.0.2p-fips; and even if this had failed the latent installation instance is 1.0.2k-fips), and using ciphers that should be validated to generate the keys (-aes256 on key generation, -sha512 for final pem).

Is there some inherent compatibility issue that I'm missing that prevents this setup while in FIPS mode? Has anyone run across a similar error when working through the Splunk documentation for cert generation? I've essentially followed the following pages step for step:

https://docs.splunk.com/Documentation/Splunk/latest/Security/Howtoself-signcertificates

https://docs.splunk.com/Documentation/Splunk/latest/Security/HowtoprepareyoursignedcertificatesforSp...

https://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureSplunkforwardingtousesignedcer...

I've seen some references about needing to set OPENSSL_FIPS=1 for the OpenSSL instance, but can't tell if that's a change to the openssl.cnf file in /opt/splunkforwarder/openssl/openssl.conf, a general environment setting, or if it's even needed given I have the FIPS OpenSSL package to begin with.

1 Solution

ebuchala_splunk
Splunk Employee
Splunk Employee

It looks like you simply need to use OPENSSL_FIPS=1 in your command when you create the key. So the command would read:

$SPLUNK_HOME/bin/splunk cmd OPENSSL_FIPS=1 openssl genrsa -aes256 -out myCAPrivateKey.key 2048

This is based on the following: https://mta.openssl.org/pipermail/openssl-dev/2015-February/000577.html

View solution in original post

satyenshahusda
Engager

When deploying a new EC cert, the critical step was invoking FIPS when encrypting the key with a passphrase:

$ OPENSSL_FIPS=1 openssl ec -aes256 -in splunkforwarders.key  -out splunkforwarders.enc.key

I didn't need to invoke FIPS when generating the key, or the CSR. Just when passphrasing the key.

ebuchala_splunk
Splunk Employee
Splunk Employee

It looks like you simply need to use OPENSSL_FIPS=1 in your command when you create the key. So the command would read:

$SPLUNK_HOME/bin/splunk cmd OPENSSL_FIPS=1 openssl genrsa -aes256 -out myCAPrivateKey.key 2048

This is based on the following: https://mta.openssl.org/pipermail/openssl-dev/2015-February/000577.html

View solution in original post

mjdiamore
Engager

So, I thought the same, however I can't seem to pass that variable within the context of splunk cmd.

OPENSSL_FIPS=1 openssl works fine.

$SPLUNK_HOME/bin/splunk cmd OPENSSL_FIPS=1 openssl returns

couldn't run "/opt/splunk/bin/OPENSSL_FIPS=1": No such file or directory

Perhaps there's some sort of syntactical fix/workaround for that in Splunk that I'm not aware of.

0 Karma

ebuchala_splunk
Splunk Employee
Splunk Employee

I just double-checked on this and apparently Splunk has openssl packaged with it. Using the $SPLUNK_HOME/bin/splunk prefix essentially just directs your device to utilize the Splunk version of the package (which is why it couldn't find the FIPS version since that isn't normally included). You don't actually need to use this if you already have openssl installed (which is likely anyway since I believe it's included by default in most Linux distros these days).

Just make sure you include the full filepath for your key output and you can run the command without the $SPLUNK_HOME preface.

OPENSSL_FIPS=1 openssl genrsa -aes256 -out $SPLUNK_HOME/etc/auth/mycerts/myCAPrivateKey.key 2048

That should do it for you but let us know if you run into any other issues with it.

0 Karma