Security

Splunk Server PEM File Expired - SSO(SAML) Not working

njohnson7
Path Finder

Hallo Team, Need some help regarding Certificates and SSO.From December 14th onwards, we are unable to access our Splunk Prod and Dev instances through SSO over the internet. It gives the site cannot be reached error.SSO is powered by Ping Federate and the SSO Team informed that SplunkServer Default Certificate has got expired and hence the issue.Upon checking further for both Prod and Dev instances , we found that -

server.pem got expired on December 14th 2020.
idpCert.pem is expiring on January 15th 2021.    

We generated a new server.pem file in the test environment but it seemed to be a combination of certificates and a private key.We used the following method to create the server.pem

1. Run the command: $SPLUNK_HOME\bin\openssl x509 -enddate -noout -in $SPLUNK_HOME/etc/auth/server.pem
2. Check the expiry date of output if expired then do the below steps:
3. Go to $SPLUNK_HOME\etc\auth\
4. Rename server.pem to server.pem_backup
5. Restart the splunk using command ./splunk restart
6. After restart you will be able to see a new server.pem file.
7. Check the expiry date of Certificate now using command: $SPLUNK_HOME\bin\openssl x509 -enddate -noout -in $SPLUNK_HOME/etc/auth/server.pem
8. The expiry date will be extended.



server.pem file -->

<BEGIN CERTIFICATE>
---------------------
---------------------
<END CERTIFICATE><BEGIN ENCRYPTED PRIVATE KEY>
---------------
----------------
<END ENCRYPTED PRIVATE KEY><BEGIN CERTIFICATE>
---------------------
---------------------
<END CERTIFICATE>



Where as the crt file the SSO team showed us was in the following format:

<BEGIN CERTIFICATE>
---------------------
---------------------
<END CERTIFICATE>


For SAML we have this ( removed the lines with password & client info) :

[SAML]
caCertFile = /opt/splunk/etc/auth/cacert.pem
idpCertPath = idpCert.pem
sslKeysfile = /opt/splunk/etc/auth/server.pem
sslVerifyServerCert = false
sslVersions = SSL3,TLS1.0,TLS1.1,TLS1.2
ssoBinding = HTTPRedirect



1- Do we need to make separate .crt file by making use of the first stanza enclosed between Begin and End Certificate from this pem file and give to SSO team?in authentication.conf

2- Since the idpCert is getting expired soon, do we need to get a new idpCert from the SSO provider and place it in the idpCertPath ? Are there any other things that need be taken care of?

Could anyone help me with these ? Any help would be really appreciated!

Labels (4)
0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

I guess this was answered in Splunk Community slack.

0 Karma

njohnson7
Path Finder

@harsmarvania57 - Yes same topic of discussion with Xpac 🙂 

Trying to learn the process of generating our own certificates and the conf files that need to be updated so as to ensure nothing breaks 🙂 

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.