Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Server PEM File Expired - SSO(SAML) Not working

njohnson7
Path Finder
‎12-15-2020 10:59 PM

Hallo Team, Need some help regarding Certificates and SSO.From December 14th onwards, we are unable to access our Splunk Prod and Dev instances through SSO over the internet. It gives the site cannot be reached error.SSO is powered by Ping Federate and the SSO Team informed that SplunkServer Default Certificate has got expired and hence the issue.Upon checking further for both Prod and Dev instances , we found that -

server.pem got expired on December 14th 2020.
idpCert.pem is expiring on January 15th 2021.    

We generated a new server.pem file in the test environment but it seemed to be a combination of certificates and a private key.We used the following method to create the server.pem

1. Run the command: $SPLUNK_HOME\bin\openssl x509 -enddate -noout -in $SPLUNK_HOME/etc/auth/server.pem
2. Check the expiry date of output if expired then do the below steps:
3. Go to $SPLUNK_HOME\etc\auth\
4. Rename server.pem to server.pem_backup
5. Restart the splunk using command ./splunk restart
6. After restart you will be able to see a new server.pem file.
7. Check the expiry date of Certificate now using command: $SPLUNK_HOME\bin\openssl x509 -enddate -noout -in $SPLUNK_HOME/etc/auth/server.pem
8. The expiry date will be extended.



server.pem file -->

<BEGIN CERTIFICATE>
---------------------
---------------------
<END CERTIFICATE><BEGIN ENCRYPTED PRIVATE KEY>
---------------
----------------
<END ENCRYPTED PRIVATE KEY><BEGIN CERTIFICATE>
---------------------
---------------------
<END CERTIFICATE>



Where as the crt file the SSO team showed us was in the following format:

<BEGIN CERTIFICATE>
---------------------
---------------------
<END CERTIFICATE>


For SAML we have this ( removed the lines with password & client info) :

[SAML]
caCertFile = /opt/splunk/etc/auth/cacert.pem
idpCertPath = idpCert.pem
sslKeysfile = /opt/splunk/etc/auth/server.pem
sslVerifyServerCert = false
sslVersions = SSL3,TLS1.0,TLS1.1,TLS1.2
ssoBinding = HTTPRedirect



1- Do we need to make separate .crt file by making use of the first stanza enclosed between Begin and End Certificate from this pem file and give to SSO team?in authentication.conf

2- Since the idpCert is getting expired soon, do we need to get a new idpCert from the SSO provider and place it in the idpCertPath ? Are there any other things that need be taken care of?

Could anyone help me with these ? Any help would be really appreciated!

Labels (4)
Labels
0 Karma
Reply

harsmarvania57
Ultra Champion
‎12-16-2020 05:28 AM

I guess this was answered in Splunk Community slack.

0 Karma
Reply

njohnson7
Path Finder
‎12-16-2020 06:00 AM

@harsmarvania57 - Yes same topic of discussion with Xpac 🙂 

Trying to learn the process of generating our own certificates and the conf files that need to be updated so as to ensure nothing breaks 🙂 

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...