Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Unable to configure SSL even with built-in certs

Docjowles
New Member
‎09-29-2010 06:07 PM

Splunk 4.1.5, CentOS 5.5 64-bit

I am trying to configure SSL for forwarding/receiving data, a-la this question: http://answers.splunk.com/questions/397/how-to-configure-ssl-for-forwarding-and-receiving-data

However something is going wrong, and I keep getting the following in the splunk logs at startup:

09-29-2010 11:54:34.501 INFO  TcpInputProc - SSL cipherSuite=ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
09-29-2010 11:54:34.501 INFO  TcpInputProc - supporting SSL v2/v3
09-29-2010 11:54:34.501 ERROR SSLCommon - Can't read key file /opt/splunk/etc/auth/server.pem
09-29-2010 11:54:34.501 ERROR TcpInputProc - SSL server certificate not found, or password is wrong - SSL ports will not be opened
09-29-2010 11:54:34.523 INFO  TcpInputProc - port 9998 is reserved for splunk 2 splunk (SSL)

Since I can't get the receiver to work, I haven't bothered trying the forwarder yet, so I will omit that info unless asked. Here is the configuration of the receiver:

$SPLUNK_HOME/etc/system/local/server.conf:

[sslConfig]
caPath = /opt/splunk/etc/auth
certCreateScript = /opt/splunk/bin/genSignedServerCert.py
sslKeysfilePassword = <hashed password is here>
supportSSLV3Only = true

$SPLUNK_HOME/etc/apps/search/local/inputs.conf:

[SSL]
serverCert=/opt/splunk/etc/auth/server.pem
password=<unhashed password is here>
requireClientCert = false
RootCA=/opt/splunk/etc/auth/cacert.pem

[splunktcp-ssl:9998]
compressed = true

I have tried this with the built-in certs and also regenerating them all with genRootCA.sh and genSignedServerCert.sh. Either way I get the same error on startup. I have tried using "password" with no quotes for both password fields, as well as using a custom password when I generated my own certs. Neither one worked.

I checked permissions and they look fine, and I get errors even if I try to run Splunk as root. I can su to the splunk user and ls/cat the cert files just fine.

ls -la
total 36
drwx------  2 splunk splunk 4096 Sep 29 11:53 .
drwxr-xr-x 19 root   root   4096 Sep 29 11:40 ..
-rw-r--r--  1 splunk splunk  863 Sep 29 11:50 cacert.pem
-rw-r--r--  1 splunk splunk  963 Sep 29 11:50 cakey.pem
-rw-r--r--  1 splunk splunk 1826 Sep 29 11:50 ca.pem
-rw-r--r--  1 splunk splunk  660 Sep 29 11:50 careq.pem
-rw-r--r--  1 splunk splunk   17 Sep 29 11:53 ca.srl
-rw-r--r--  1 splunk splunk 2673 Sep 29 11:53 server.pem
-r--------  1 splunk splunk  255 Sep 29 11:40 splunk.secret

This is driving me up the wall, any insight into what I am doing wrong would be appreciated!

Tags (1)
0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎09-30-2010 05:34 PM

Did you restart Splunk after you input the unhashed password? Did you verify using lsof or netstat that the port was not actually open?

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎09-30-2010 04:31 PM

Hexx has done some serious study on this and has a working recipe with SSL mutual auth.

http://answers.splunk.com/questions/7164/how-do-i-set-up-ssl-forwarding-with-new-self-signed-certifi...

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...