I am trying to setup SSL security from the fwd clients to the index servers. I am looking at the atricle http://docs.splunk.com/Documentation/Splunk/6.4.2/Security/ConfigureSplunkforwardingtousesignedcerti... but cannot figure it out.
[SSL]
rootCA = $SPLUNK_HOME/etc/auth/mycerts/myCACertificate.pem
serverCert = $SPLUNK_HOME/etc/auth/mycerts/myNewServerCertificate.pem
password = <server certificate private key password>
cipherSuite = <your chosen cipher suite (optional)>
[splunktcp-ssl:9997]
compressed = true
What file is what? What file should rootCA point to? I assume the cert authority file. It seems that the serverCert is chained in some way.
Any help is MUCH appreciated!
Hello There,
It is certificate authority file (Root file from Certifacate authority you used to sign the certificate). Please have a look at the SSL stanza of inputs.conf for description
[SSL]
* Set the following specifications for SSL underneath this stanza name:
serverCert = <path>
* Full path to the server certificate.
password = <string>
* Server certificate password, if any.
rootCA = <string>
* Certificate authority list (root file).
requireClientCert = [true|false]
* Determines whether a client must authenticate.
* Defaults to false.
sslVersions = <string>
* Comma-separated list of SSL versions to support
* The versions available are "ssl2", "ssl3", "tls1.0", "tls1.1", and "tls1.2"
* The special version "*" selects all supported versions. The version "tls"
selects all versions tls1.0 or newer
* If a version is prefixed with "-" it is removed from the list
* When configured in FIPS mode ssl2 and ssl3 are always disabled regardless of this configuration
* Defaults to "*,-ssl2". (anything newer than SSLv2)
supportSSLV3Only = [true|false]
* DEPRECATED. SSLv2 is now always disabled by default. The exact set of
SSL versions allowed is now configurable via the "sslVersions" setting above
cipherSuite = <cipher suite string>
* If set, uses the specified cipher string for the input processors.
* If not set, the default cipher string is used.
* Provided by OpenSSL. This is used to ensure that the server does not
accept connections using weak encryption protocols.
Now I am seeing this on the FWD servers from splunkd.log
08-30-2016 18:03:19.804 +0000 ERROR SSLCommon - Can't read key file /opt/splunk/etc/auth/fwd/star_gehccloud_com_public.pem errno=151441516 error:0906D06C:PEM routines:PEM_read_bio:no start line.
Splunk is not able to read your file due to issues in PEM format. Check if it has valid header line and also check if there are any special characters like ^M
There does seems to be a header:
-----BEGIN CERTIFICATE-----
And there is no ^M (CR) in the file.... This cannot be that difficult!
Guys thank you VERY much for your response, I have certificates issues from a certificate authority and am not creating them on the splunk servers.
Here is a script that will create all the certs you need:
echo "Create CA Private Key"
openssl genrsa -des3 -out myCAPrivateKey.key 2048
echo
echo "Create CA myCACertificate.csr"
openssl req -new -key myCAPrivateKey.key -out myCACertificate.csr
echo
echo "Create myCACertificate.pem"
openssl x509 -req -in myCACertificate.csr -sha256 -signkey myCAPrivateKey.key -CAcreateserial -out myCACertificate.pem -days 1095
echo
echo "Create myServerPrivateKey.key"
openssl genrsa -des3 -out myServerPrivateKey.key 2048
echo
echo "Gen myServerCertificate.csr"
openssl req -new -key myServerPrivateKey.key -out myServerCertificate.csr
echo
echo "Gen myServerCertificate.pem"
openssl x509 -req -in myServerCertificate.csr -sha256 -CA myCACertificate.pem -CAkey myCAPrivateKey.key -CAcreateserial -out myServerCertificate.pem -days 1095
echo
echo "Gen myClientPrivateKey.key"
openssl genrsa -des3 -out myClientPrivateKey.key 2048
echo
echo "Gen myClientCertificate.csr"
openssl req -new -key myClientPrivateKey.key -out myClientCertificate.csr
echo
echo "Gen myClientCertificate.pem"
openssl x509 -req -in myClientCertificate.csr -sha256 -CA myCACertificate.pem -CAkey myCAPrivateKey.key -CAcreateserial -out myClientCertificate.pem -days 1095
echo
echo "Concatinating private key to end of client cert"
cat myClientPrivateKey.key >> myClientCertificate.pem
echo
echo "Concatinating private key to end of server cert"
cat myServerPrivateKey.key >> myServerCertificate.pem
Your root CA will be "myCACertificate.pem"
The what is serverCert file?
Hello There,
It is certificate authority file (Root file from Certifacate authority you used to sign the certificate). Please have a look at the SSL stanza of inputs.conf for description
[SSL]
* Set the following specifications for SSL underneath this stanza name:
serverCert = <path>
* Full path to the server certificate.
password = <string>
* Server certificate password, if any.
rootCA = <string>
* Certificate authority list (root file).
requireClientCert = [true|false]
* Determines whether a client must authenticate.
* Defaults to false.
sslVersions = <string>
* Comma-separated list of SSL versions to support
* The versions available are "ssl2", "ssl3", "tls1.0", "tls1.1", and "tls1.2"
* The special version "*" selects all supported versions. The version "tls"
selects all versions tls1.0 or newer
* If a version is prefixed with "-" it is removed from the list
* When configured in FIPS mode ssl2 and ssl3 are always disabled regardless of this configuration
* Defaults to "*,-ssl2". (anything newer than SSLv2)
supportSSLV3Only = [true|false]
* DEPRECATED. SSLv2 is now always disabled by default. The exact set of
SSL versions allowed is now configurable via the "sslVersions" setting above
cipherSuite = <cipher suite string>
* If set, uses the specified cipher string for the input processors.
* If not set, the default cipher string is used.
* Provided by OpenSSL. This is used to ensure that the server does not
accept connections using weak encryption protocols.
Hey thank you for the response. So if the rootCA is the certificate auth file, what is the serverCert file? Is that the chained file? I have this running on an existing splunk cluster and the serverCert file seems to be a chain of 5 ssl keys?!?!?
As much as I love splunk, this documentation is not very detailed! Any help is much appreciated, and remember I got official certs from a cert authority, i am not looking to create self signed certs
Server cert is the cert you have written for the server. The server cert pem file will have both cert and your private key and the rootCA is the trusted certificate which will have the root ca or sub ca cert chain.
For eg: If you have p12 file from your provider,
openssl pkcs12 -in <your cert>.p12 -cacerts -out rootCA.pem
openssl pkcs12 -in <your cert>.p12 -clcerts -out serverCert.pem