Security

FIPS kvstore certificate purpose

pongey
New Member

Environment- Single Splunk 7.3.9 search head / indexer with FIPS_MODE=1

etc/system/local/server.conf

 

 

 

[sslConfig]
sslRootCAPath = $SPLUNK_HOME\etc\auth\mycerts\consolidatedCA.pem

[kvstore]
serverCert = mycerts\kvstore_consolidated.pem
sslPassword = <password_for_private_key>

 

 

 

the "kvstore_consolidated.pem" contains my private key, and the server cert.

Issue: kvstore fails to start. (log below from splunkd.log)

 

 

07-19-2021 11:06:35.763 -0400 ERROR KVStoreConfigurationProvider - Could not get ping from mongod.
07-19-2021 11:06:35.763 -0400 ERROR KVStoreConfigurationProvider - Could not start mongo instance. Initialization failed.
07-19-2021 11:06:35.763 -0400 ERROR KVStoreBulletinBoardManager - KV Store changed status to failed. Failed to start KV Store process. See mongod.log and splunkd.log for details..
07-19-2021 11:06:35.763 -0400 ERROR KVStoreBulletinBoardManager - Failed to start KV Store process. See mongod.log and splunkd.log for details.

 

 

mongod.log 

 

 

2021-07-15T14:36:03.080Z E NETWORK  [conn941] SSL peer certificate validation failed: unsupported certificate purpose
2021-07-15T14:36:03.080Z I NETWORK  [conn941] Error receiving request from client: SSLHandshakeFailed: SSL peer certificate validation failed: unsupported certificate purpose. Ending connection from 127.0.0.1:52128 (connection id: 941)

 

 

so it seems like the server is trying to make loopback requests and trying to act as both the server and the client in SSL comms.

In reading this , (while its not the same issue), the suggestion is to have the CA sign the CSR so its both client and server. 

Before I go down this road (the CA I am using does not seem to support this- it can only sign as  either "user" or "server"), just want to see if anyone else have ran into this? 

I also tried the server.conf settings in this article, but with same results:

https://splunkcommunity.com/wp-content/uploads/2019/11/FIPSConf_Final.pdf

Labels (2)
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!