Security
Highlighted

How to verify splunk Enterprise Management port 8089 is indeed secured with own certificates

Path Finder

Hi All,

We want to enable ssl in our aws splunk Enterprise cluster on management port 8089 with own certs(provided by my company)
I followed all the required steps from various documents and enabled splunkd ssl in server.conf in all splunk components - cm, indexer cluster, sh cluster and deployer

How can I verify that the ssl is correctly enabled and is using our own certs?
I don't see any errors in any of splunkd logs. But I do not know how to prove that splunk instances are communicating with own certs.
Also how is the secure communication happening without client certs? Don't we need both client and server certs in all splunk instances to securely communicate on port 8089(for that matter any port)
Any help is highly appreciated

Labels (1)
0 Karma
Highlighted

Re: How to verify splunk Enterprise Management port 8089 is indeed secured with own certificates

Motivator

Hello @vtalanki,

you can use wireshark or openssl to verify it.

openssl s_client -connect your-aws-server:8089

View solution in original post

0 Karma
Highlighted

Re: How to verify splunk Enterprise Management port 8089 is indeed secured with own certificates

Path Finder

Thanks @PavelP , I see my cert being displayed by using openssl.

However when I use curl to connect to indexer from master ( for that matter between any two instances ) I'm seeing this

$curl 'https://idxr-ip:8089/services/cluster/config' -v
* NSS error -8172 (SECERRORUNTRUSTED_ISSUER)
* Peer's certificate issuer has been marked as not trusted by the user.

When I provided --cacert and --capath options to my curl I get
* NSS error -12276 (SSLERRORBADCERTDOMAIN)
* Unable to communicate securely with peer: requested domain name does not match the server's certificate.
I guess this is because the CN or SAN in my certs doesn't match the indexer dns I'm using. Any idea how this can be achieved ?

For that matter even if splunk self-signed certs I should be seeing these errors. But I dont see any errors in Splunkd.log . Is this because splunk doesn't verify certs when communicating on 8089 with ssl? If yes, what's the point in enabling ssl then?

0 Karma
Highlighted

Re: How to verify splunk Enterprise Management port 8089 is indeed secured with own certificates

Motivator

if you can connect by adding -k switch (ignore cert errors), then your question "How can I verify that the ssl is correctly enabled and is using our own certs?" can be answered positively - the ssl is enabled and the server is using your certs. You have to provide --cacert and --capath unless you include your company's CA and SubCA certificates in the root storage, so this error is OK if the certificate was issued by the company's PKI CA.

BADCERTDOMAIN means the domain which you requesting doesn't match the SAN entry. You have to used domain exactly as it written in the SAN entry.

so if your certificate looks like this:

subject=.....CN=id.example.com
            X509v3 Subject Alternative Name:
            DNS:idxr.example.com

you have to use idxr.example.com only. Not an IP address any kind, not a short domain name like idxr (even if can be connected).

If you cannot connect using -k switch, then the whole SSL setup is wrong.

0 Karma
Highlighted

Re: How to verify splunk Enterprise Management port 8089 is indeed secured with own certificates

Path Finder

Thanks again @PavelP . I checked with -k switch at it gave me the required output. And seems like the

 requireClientCert = false

config in server.conf is equivalent to -k switch (correct me if I'm wrong).
However going to production, we do want to enable certificate verification to happen on management port 8089. So I made requireClientCert = true , restarted splunkd and I am seeing below errors/warning

cluster master splund.log

    ERROR X509Verify - X509 certificate (CN=XXXXXX) failed validation; error=26, reason="unsupported certificate purpose"
WARN  SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client certificate B', alert_description='unsupported certificate'.
WARN  HttpListener - Socket error from <master-ip>:36874 while idling: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed - please check the output of the `openssl verify` command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.

Indexer splund.log

WARN  SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read server session ticket A', alert_description='unsupported certificate'.

Any ideas about this? Do I need to have client certificate aswell for this? If yes, how should I refer to client cert(where should I set it)

And thanks for clarifying on BADCERTDOMAIN. Got your point here.

0 Karma
Highlighted

Re: How to verify splunk Enterprise Management port 8089 is indeed secured with own certificates

Motivator

this called mutual TLS - not only the client verifies the server's cert, but also the server checks the client's cert. This part is not set correctly, so read this presentation by @dwaddle : https://conf.splunk.com/session/2015/conf2015_DWaddle_DefensePointSecurity_deploying_SplunkSSLBestPr... , this is exactly information you need.

0 Karma
Highlighted

Re: How to verify splunk Enterprise Management port 8089 is indeed secured with own certificates

Path Finder

By 'This part is not set correctly' , do you mean that Splunk currently doesn't support mTLS?

I have gone thru both the slides and recording of this conf session but didn't understand exactly why requireClientCert is disabled for 'Splunk to Splunk' communication(All it talks about is why it is disabled between DS and DC).

0 Karma
Highlighted

Re: How to verify splunk Enterprise Management port 8089 is indeed secured with own certificates

Motivator

Hello @vtalanki ,

the talk is 5 year old, it was ahead of time (most people just wanted to make splunk "work") and is still great as an overview.

here is a link about securing inter splunk communication (port 8089): https://docs.splunk.com/Documentation/Splunk/8.0.3/Security/Securingyourdeploymentserverandclients

Edit server.conf to authenticate against your certificates by adding the following attribute to the [sslConfig] stanza in previous step:

requireClientCert = true

Important: This requireClientCert is set to "false" by default. If you change it to true to force Splunk to check your client's certificates, Splunk Web and the CLI will also be checked for certificates. Your CLI connection will no longer work because your CLI is unable to present a certificate as a client.

Let me know if mTLS works for you.

0 Karma
Highlighted

Re: How to verify splunk Enterprise Management port 8089 is indeed secured with own certificates

Path Finder

Hello @pavelP,
I have followed this and made requireClientCert = true in CM and restarted splunk. Below is what I see

Cluster Master splunkd.log

ERROR X509Verify - X509 certificate (CN=XXXX,OU=XXX....) failed validation; error=26, reason="unsupported certificate purpose"
WARN  SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client certificate B', alert_description='unsupported certificate'.
WARN  HttpListener - Socket error from <idxr1_ip>:36874 while idling: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed - please check the output of the `openssl verify` command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.

Indexer splunkd.log

WARN  SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read server session ticket A', alert_description='unsupported certificate'.

In both instances, server.conf is something like

[sslConfig]
enableSplunkdSSL = true
useClientSSLCompression = true
sslVersions = tls1.2
serverCert = <path_to_pem>/server-cert-with-key.pem
sslRootCAPath =  <path_to_pem>/ca-chain.pem
sslVerifyServerCert = true
requireClientCert = true

Except that requireClientCert = false in indexer server.conf

Is it correct to have server.pem in both CM and indexers for serverCert? Sorry, really confused.

BTW, here is the output of openssl verify

$ /opt/splunk/bin/splunk cmd openssl verify -CAfile ca-chain.pem server-chain-with-key.pem
server-chain-with-key.pem: OK

0 Karma
Highlighted

Re: How to verify splunk Enterprise Management port 8089 is indeed secured with own certificates

Motivator

I think there is something wrong with your certificates, the error message mentioned: "note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name."

0 Karma