Security

Splunk Connect for k8S - HTTPS problem

npe
Engager

Hello,

I am trying to configure Splunk Connect for Kubernetes to capture a k8s cluster application logs.

I have problems when configuring https connection to HEC.

On the Heavy Forwarder, I have configured a ServerCert, which has been signed by our Company Authority.

Then, on Splunk Connect for Kubernetes Helm, if I configure https :

 

 

 

 

 

  splunk:
    hec:
      # host is required and should be provided by user
      host: hostname.domain.com
      # token is required and should be provided by user
      token: MY-HEC-TOKEN
      # protocol has two options: "http" and "https", default is "https"
      # For self signed certificate leave this field blank
      protocol: https

 

 

 

 

 

When deploying, I see the following logs on Heavy Forwarder : 

 

 

 

 

 

01-25-2022 09:37:16.729 +0100 WARN  SSLCommon [1235867 HttpInputServerDataThread] - Received fatal SSL3 alert. ssl_state='SSLv3 read client key exchange A', alert_description='unknown CA'.
01-25-2022 09:37:16.729 +0100 WARN  HttpListener [1235867 HttpInputServerDataThread] - Socket error from 10.8.199.195:55608 while idling: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca - please check the output of the `openssl verify` command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.

 

 

 

 

 

 

I have to configure insecureSSL: true to get the connection working and see logs on Indexer.

But, If I activate HTTPS connection, I do not want it to be insecure ^^.

 

I am a bit confused about Splunk Connect 4 Kubernetes configuration.

Can I use : 

 

 

 

 

 

splunk:
  # Configurations for HEC (HTTP Event Collector)
  hec:
    # The PEM-format CA certificate file.
    # NOTE: The content of the file itself should be used here, not the file path.
    #       The file will be stored as a secret in kubernetes.
    caFile:

 

 

 

 

 

To configure ma Company CA ?

 

Or are keys clientCert, clientKey and CaFile only used for mTLS configuration ?

 

Thank you in advance for your answers.

Regards.

Nicolas.

 

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Set Up More Secure Configurations in Splunk Enterprise With Config Assist

This blog post is part 3 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...