Security

Unable to configure SSL even with built-in certs

New Member

Splunk 4.1.5, CentOS 5.5 64-bit

I am trying to configure SSL for forwarding/receiving data, a-la this question: http://answers.splunk.com/questions/397/how-to-configure-ssl-for-forwarding-and-receiving-data

However something is going wrong, and I keep getting the following in the splunk logs at startup:

09-29-2010 11:54:34.501 INFO  TcpInputProc - SSL cipherSuite=ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
09-29-2010 11:54:34.501 INFO  TcpInputProc - supporting SSL v2/v3
09-29-2010 11:54:34.501 ERROR SSLCommon - Can't read key file /opt/splunk/etc/auth/server.pem
09-29-2010 11:54:34.501 ERROR TcpInputProc - SSL server certificate not found, or password is wrong - SSL ports will not be opened
09-29-2010 11:54:34.523 INFO  TcpInputProc - port 9998 is reserved for splunk 2 splunk (SSL)

Since I can't get the receiver to work, I haven't bothered trying the forwarder yet, so I will omit that info unless asked. Here is the configuration of the receiver:

$SPLUNK_HOME/etc/system/local/server.conf:

[sslConfig]
caPath = /opt/splunk/etc/auth
certCreateScript = /opt/splunk/bin/genSignedServerCert.py
sslKeysfilePassword = <hashed password is here>
supportSSLV3Only = true

$SPLUNK_HOME/etc/apps/search/local/inputs.conf:

[SSL]
serverCert=/opt/splunk/etc/auth/server.pem
password=<unhashed password is here>
requireClientCert = false
RootCA=/opt/splunk/etc/auth/cacert.pem

[splunktcp-ssl:9998]
compressed = true

I have tried this with the built-in certs and also regenerating them all with genRootCA.sh and genSignedServerCert.sh. Either way I get the same error on startup. I have tried using "password" with no quotes for both password fields, as well as using a custom password when I generated my own certs. Neither one worked.

I checked permissions and they look fine, and I get errors even if I try to run Splunk as root. I can su to the splunk user and ls/cat the cert files just fine.

ls -la
total 36
drwx------  2 splunk splunk 4096 Sep 29 11:53 .
drwxr-xr-x 19 root   root   4096 Sep 29 11:40 ..
-rw-r--r--  1 splunk splunk  863 Sep 29 11:50 cacert.pem
-rw-r--r--  1 splunk splunk  963 Sep 29 11:50 cakey.pem
-rw-r--r--  1 splunk splunk 1826 Sep 29 11:50 ca.pem
-rw-r--r--  1 splunk splunk  660 Sep 29 11:50 careq.pem
-rw-r--r--  1 splunk splunk   17 Sep 29 11:53 ca.srl
-rw-r--r--  1 splunk splunk 2673 Sep 29 11:53 server.pem
-r--------  1 splunk splunk  255 Sep 29 11:40 splunk.secret

This is driving me up the wall, any insight into what I am doing wrong would be appreciated!

Tags (1)
0 Karma

Splunk Employee
Splunk Employee

Did you restart Splunk after you input the unhashed password? Did you verify using lsof or netstat that the port was not actually open?

0 Karma

SplunkTrust
SplunkTrust

Hexx has done some serious study on this and has a working recipe with SSL mutual auth.

http://answers.splunk.com/questions/7164/how-do-i-set-up-ssl-forwarding-with-new-self-signed-certifi...

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!