Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk FIPS 140-2 with SSL tls1.2 certificates

matthewssa
Path Finder
‎05-24-2018 01:46 PM

Hello!

Does Splunk support running FIPS while using SSL tls1.2 certificates? I read this article and think this might be the reason why I can not get those two working together. https://docs.splunk.com/Documentation/AddOns/released/Overview/Add-onsandFIPsmode

I have tried to enable the [SSL] and [splunktcp-ssl:9998] stanzas in Splunk while running Splunk in FIPS and the port 9998 doesn't show up in netstat. While running the same configurations on a non FIPS instance works without any issue. I can get the Splunk FIPS version to listen on a port as long as I am not using the two stanzas [SSL] and [splunktcp-ssl:9998] and instead using the default stanza [splunktcp://9997].

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

matthewssa
Path Finder
‎05-29-2018 01:41 PM

The splunkd.log was showing invalid password or certificate not found. The same settings were used on a Splunk instance without FIPS with the same settings and was working. To fix the issue though I created now SSL certs, but still was not able to identify the root cause. I used the following steps in the splunk documentation to create new SSL certs to get this working in FIPS mode.

Step1: http://docs.splunk.com/Documentation/Splunk/6.0/Security/Howtoself-signcertificates
Step2: http://docs.splunk.com/Documentation/Splunk/6.0/Security/HowtoprepareyoursignedcertificatesforSplunk
Step3: http://docs.splunk.com/Documentation/Splunk/6.0/Security/ConfigureSplunkforwardingtousesignedcertifi...
Step4: http://docs.splunk.com/Documentation/Splunk/6.0/Security/Validateyourconfiguration

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

matthewssa
Path Finder
‎05-29-2018 01:41 PM

The splunkd.log was showing invalid password or certificate not found. The same settings were used on a Splunk instance without FIPS with the same settings and was working. To fix the issue though I created now SSL certs, but still was not able to identify the root cause. I used the following steps in the splunk documentation to create new SSL certs to get this working in FIPS mode.

Step1: http://docs.splunk.com/Documentation/Splunk/6.0/Security/Howtoself-signcertificates
Step2: http://docs.splunk.com/Documentation/Splunk/6.0/Security/HowtoprepareyoursignedcertificatesforSplunk
Step3: http://docs.splunk.com/Documentation/Splunk/6.0/Security/ConfigureSplunkforwardingtousesignedcertifi...
Step4: http://docs.splunk.com/Documentation/Splunk/6.0/Security/Validateyourconfiguration

0 Karma
Reply
Get Updates on the Splunk Community!

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW!Every day the list of sources Admins are responsible for gets bigger and bigger, often making the ...

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

REGISTER NOW!Join us for a Tech Talk around our latest release of Splunk Enterprise Security 7.2! We’ll walk ...

Introduction to Splunk AI

WATCH NOWHow are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. ...