- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- FIPS/SSL Incompatibility?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Attempting to install local/self-signed certs (Splunk Indexer houses Root CA with a cert distributed to all forwarders), and receiving the following error, ostensibly FIPS-related:
ERROR SSLCommon - Can't read key file /opt/splunkforwarder/etc/auth/mycerts/forwarderchain.pem errno=101351587 error:060A80A3:digital envelope routines:FIPS_DIGESTINIT:disabled for fips.
This is on a Splunk Forwarder with FIPS enabled (all installations will be on Linux FIPS-kernel systems), using Splunk's inboard OpenSSL (1.0.2p-fips; and even if this had failed the latent installation instance is 1.0.2k-fips), and using ciphers that should be validated to generate the keys (-aes256 on key generation, -sha512 for final pem).
Is there some inherent compatibility issue that I'm missing that prevents this setup while in FIPS mode? Has anyone run across a similar error when working through the Splunk documentation for cert generation? I've essentially followed the following pages step for step:
https://docs.splunk.com/Documentation/Splunk/latest/Security/Howtoself-signcertificates
I've seen some references about needing to set OPENSSL_FIPS=1 for the OpenSSL instance, but can't tell if that's a change to the openssl.cnf file in /opt/splunkforwarder/openssl/openssl.conf, a general environment setting, or if it's even needed given I have the FIPS OpenSSL package to begin with.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It looks like you simply need to use OPENSSL_FIPS=1 in your command when you create the key. So the command would read:
$SPLUNK_HOME/bin/splunk cmd OPENSSL_FIPS=1 openssl genrsa -aes256 -out myCAPrivateKey.key 2048
This is based on the following: https://mta.openssl.org/pipermail/openssl-dev/2015-February/000577.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When deploying a new EC cert, the critical step was invoking FIPS when encrypting the key with a passphrase:
$ OPENSSL_FIPS=1 openssl ec -aes256 -in splunkforwarders.key -out splunkforwarders.enc.key
I didn't need to invoke FIPS when generating the key, or the CSR. Just when passphrasing the key.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It looks like you simply need to use OPENSSL_FIPS=1 in your command when you create the key. So the command would read:
$SPLUNK_HOME/bin/splunk cmd OPENSSL_FIPS=1 openssl genrsa -aes256 -out myCAPrivateKey.key 2048
This is based on the following: https://mta.openssl.org/pipermail/openssl-dev/2015-February/000577.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, I thought the same, however I can't seem to pass that variable within the context of splunk cmd.
OPENSSL_FIPS=1 openssl works fine.
$SPLUNK_HOME/bin/splunk cmd OPENSSL_FIPS=1 openssl returns
couldn't run "/opt/splunk/bin/OPENSSL_FIPS=1": No such file or directory
Perhaps there's some sort of syntactical fix/workaround for that in Splunk that I'm not aware of.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just double-checked on this and apparently Splunk has openssl packaged with it. Using the $SPLUNK_HOME/bin/splunk prefix essentially just directs your device to utilize the Splunk version of the package (which is why it couldn't find the FIPS version since that isn't normally included). You don't actually need to use this if you already have openssl installed (which is likely anyway since I believe it's included by default in most Linux distros these days).
Just make sure you include the full filepath for your key output and you can run the command without the $SPLUNK_HOME preface.
OPENSSL_FIPS=1 openssl genrsa -aes256 -out $SPLUNK_HOME/etc/auth/mycerts/myCAPrivateKey.key 2048
That should do it for you but let us know if you run into any other issues with it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there a way to provide the OPENSSL_FIPS=1 variable to OpenSSL on Windows?
I've tried using Powershell and piping the variable in, as well as adding to the openssl.cnf file.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah, disregard.
Setting as a system environment variable did the trick.
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation
