Security

How do I resolve X509Verify default certificate warnings?

Explorer

I see the below warnings in the splunkd.log files on all my Splunk instances.

Could you please advise on how to resolve these? or can we ignore them?

WARN  X509Verify - X509 certificate (O=SplunkUser,CN=SplunkServerDefaultCert) should not be used, as it is issued by Splunk's own default Certificate Authority (CA). This puts your Splunk instance at very high-risk of the MITM attack. Either commercial-CA-signed or self-CA-signed certificates must be used; see: 
0 Karma

SplunkTrust
SplunkTrust

@zeespl,

As mentioned in the warning itself, default certificates are not considered highly secure. Anyone who has downloaded Splunk Enterprise has server certificates signed by the same root certificate and are able to authenticate to your certificates. To ensure that no one can easily snoop on your traffic or wrongfully send data to your indexers, SPLUNK recommend that you replace them with signed certificates.

You can either use a self signed certificate as mentioned in https://docs.splunk.com/Documentation/Splunk/7.1.2/Security/Howtoself-signcertificates

Or

Use a third party certificate : https://docs.splunk.com/Documentation/Splunk/7.1.2/Security/Howtogetthird-partycertificates

The decision is purely based on your Organizational requirements. Normally self signed certificates are used in test/dev environment and external certificates are used in PROD. However, as mentioned , its purely depends on your data/environment security requirements and also the network zone you have set up your splunk infra. If it's exposed to "outside" world, it's always advised to use a proper certificate.

Also see : https://conf.splunk.com/session/2015/conf2015_DWaddle_DefensePointSecurity_deploying_SplunkSSLBestPr...

0 Karma

Explorer

Thanks Renjith.

We have a single splunk instance running, doing the job of both search head and indexer. On it i can't see any such warnings. No self signed or third party certificate is placed on it apart from splunk default ones.

One the new set up where we have separate servers for search head and indexer, I am getting this warning in logs.

The warnings should come on both, if default ones are not trust worthy.

0 Karma

SplunkTrust
SplunkTrust

@zeespl, the certificates are being used when there is a connection from server A to Server B. If you have a standalone host, then there might not be any incoming/outgoing traffic. On the other hand when the search heads and indexers are on different machine, then it require connection between different machines and hence the warning. Hope that helps!

0 Karma

Explorer

@renjith.nair , In standalone set up also there is incoming/outgoing traffic from forwarders. Does this not require certificate?

Or is it just for internal communication between search head and indexers.

0 Karma

SplunkTrust
SplunkTrust

Depends on your set up. Have you enabled SSL between forwarder and indexer?

0 Karma

Explorer

No.. I have not configured forwarders as of now..we just have search head and 2 indexer peers..

How can we check whether SSL is enabled or not?

0 Karma

SplunkTrust
SplunkTrust

Here is a summary of SSL traffic : http://docs.splunk.com/Documentation/Splunk/7.1.3/Security/AboutsecuringyourSplunkconfigurationwithS...

To check your traffic between forwarder and indexer : Check if the following configurations are set.

http://docs.splunk.com/Documentation/Splunk/7.1.3/Security/ConfigureSplunkforwardingtousethedefaultc...

0 Karma

Explorer

I can't find anything in inputs.conf file.

Would you mind sharing the exact steps to create, place and configure certificates in my set up. one search head and 2 indexers.

How can i procure third party signed certificates and how many of these required and of what type?

0 Karma

SplunkTrust
SplunkTrust
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!