Solved: Re: Using Self Signed SSL Certs on Index Servers

brent_weaver · ‎08-26-2016

I am trying to setup SSL security from the fwd clients to the index servers. I am looking at the atricle http://docs.splunk.com/Documentation/Splunk/6.4.2/Security/ConfigureSplunkforwardingtousesignedcerti... but cannot figure it out.

[SSL]
rootCA = $SPLUNK_HOME/etc/auth/mycerts/myCACertificate.pem
serverCert = $SPLUNK_HOME/etc/auth/mycerts/myNewServerCertificate.pem
password = <server certificate private key password>
cipherSuite = <your chosen cipher suite (optional)>

[splunktcp-ssl:9997]
compressed = true

What file is what? What file should rootCA point to? I assume the cert authority file. It seems that the serverCert is chained in some way.

Any help is MUCH appreciated!

renjith_nair · ‎08-27-2016

Hello There,

It is certificate authority file (Root file from Certifacate authority you used to sign the certificate). Please have a look at the SSL stanza of inputs.conf for description

[SSL]
* Set the following specifications for SSL underneath this stanza name:

serverCert = <path>
* Full path to the server certificate.

password = <string>
* Server certificate password, if any.

rootCA = <string>
* Certificate authority list (root file).

requireClientCert = [true|false]
* Determines whether a client must authenticate.
* Defaults to false.

sslVersions = <string>
* Comma-separated list of SSL versions to support
* The versions available are "ssl2", "ssl3", "tls1.0", "tls1.1", and "tls1.2"
* The special version "*" selects all supported versions.  The version "tls"
  selects all versions tls1.0 or newer
* If a version is prefixed with "-" it is removed from the list
* When configured in FIPS mode ssl2 and ssl3 are always disabled regardless of this configuration
* Defaults to "*,-ssl2".  (anything newer than SSLv2)

supportSSLV3Only = [true|false]
* DEPRECATED.  SSLv2 is now always disabled by default.  The exact set of
  SSL versions allowed is now configurable via the "sslVersions" setting above

cipherSuite = <cipher suite string>
* If set, uses the specified cipher string for the input processors.
* If not set, the default cipher string is used.
* Provided by OpenSSL. This is used to ensure that the server does not
  accept connections using weak encryption protocols.

Happy Splunking!

View solution in original post

brent_weaver · ‎08-30-2016

Now I am seeing this on the FWD servers from splunkd.log

08-30-2016 18:03:19.804 +0000 ERROR SSLCommon - Can't read key file /opt/splunk/etc/auth/fwd/star_gehccloud_com_public.pem errno=151441516 error:0906D06C:PEM routines:PEM_read_bio:no start line.

renjith_nair · ‎08-30-2016

Splunk is not able to read your file due to issues in PEM format. Check if it has valid header line and also check if there are any special characters like ^M

Happy Splunking!

brent_weaver · ‎08-31-2016

There does seems to be a header:

-----BEGIN CERTIFICATE-----

And there is no ^M (CR) in the file.... This cannot be that difficult!

brent_weaver · ‎08-29-2016

Guys thank you VERY much for your response, I have certificates issues from a certificate authority and am not creating them on the splunk servers.

svenwendler · ‎08-28-2016

Here is a script that will create all the certs you need:

echo "Create CA Private Key"
openssl genrsa -des3 -out myCAPrivateKey.key 2048
echo
echo "Create CA  myCACertificate.csr"
openssl req -new -key myCAPrivateKey.key -out myCACertificate.csr
echo
echo "Create myCACertificate.pem"
openssl x509 -req -in myCACertificate.csr -sha256 -signkey myCAPrivateKey.key -CAcreateserial -out myCACertificate.pem -days 1095
echo
echo "Create myServerPrivateKey.key"
openssl genrsa -des3 -out myServerPrivateKey.key 2048
echo
echo "Gen myServerCertificate.csr"
openssl req -new -key myServerPrivateKey.key -out myServerCertificate.csr
echo
echo "Gen myServerCertificate.pem"
openssl x509 -req -in myServerCertificate.csr -sha256 -CA myCACertificate.pem -CAkey myCAPrivateKey.key -CAcreateserial -out myServerCertificate.pem -days 1095
echo
echo "Gen myClientPrivateKey.key"
openssl genrsa -des3 -out myClientPrivateKey.key 2048
echo
echo "Gen myClientCertificate.csr" 
openssl req -new -key myClientPrivateKey.key -out myClientCertificate.csr
echo
echo "Gen myClientCertificate.pem"
openssl x509 -req -in myClientCertificate.csr -sha256 -CA myCACertificate.pem -CAkey myCAPrivateKey.key -CAcreateserial -out myClientCertificate.pem -days 1095
echo
echo "Concatinating private key to end of client cert"
cat myClientPrivateKey.key >> myClientCertificate.pem
echo
echo "Concatinating private key to end of server cert"
cat myServerPrivateKey.key >> myServerCertificate.pem

Your root CA will be "myCACertificate.pem"

brent_weaver · ‎08-29-2016

The what is serverCert file?

renjith_nair · ‎08-27-2016

Hello There,

It is certificate authority file (Root file from Certifacate authority you used to sign the certificate). Please have a look at the SSL stanza of inputs.conf for description

[SSL]
* Set the following specifications for SSL underneath this stanza name:

serverCert = <path>
* Full path to the server certificate.

password = <string>
* Server certificate password, if any.

rootCA = <string>
* Certificate authority list (root file).

requireClientCert = [true|false]
* Determines whether a client must authenticate.
* Defaults to false.

sslVersions = <string>
* Comma-separated list of SSL versions to support
* The versions available are "ssl2", "ssl3", "tls1.0", "tls1.1", and "tls1.2"
* The special version "*" selects all supported versions.  The version "tls"
  selects all versions tls1.0 or newer
* If a version is prefixed with "-" it is removed from the list
* When configured in FIPS mode ssl2 and ssl3 are always disabled regardless of this configuration
* Defaults to "*,-ssl2".  (anything newer than SSLv2)

supportSSLV3Only = [true|false]
* DEPRECATED.  SSLv2 is now always disabled by default.  The exact set of
  SSL versions allowed is now configurable via the "sslVersions" setting above

cipherSuite = <cipher suite string>
* If set, uses the specified cipher string for the input processors.
* If not set, the default cipher string is used.
* Provided by OpenSSL. This is used to ensure that the server does not
  accept connections using weak encryption protocols.

Happy Splunking!

brent_weaver · ‎08-29-2016

Hey thank you for the response. So if the rootCA is the certificate auth file, what is the serverCert file? Is that the chained file? I have this running on an existing splunk cluster and the serverCert file seems to be a chain of 5 ssl keys?!?!?

As much as I love splunk, this documentation is not very detailed! Any help is much appreciated, and remember I got official certs from a cert authority, i am not looking to create self signed certs

renjith_nair · ‎08-29-2016

Server cert is the cert you have written for the server. The server cert pem file will have both cert and your private key and the rootCA is the trusted certificate which will have the root ca or sub ca cert chain.

    For eg: If you have p12 file from your provider,

    openssl pkcs12 -in <your cert>.p12 -cacerts -out rootCA.pem

    openssl pkcs12 -in <your cert>.p12 -clcerts -out serverCert.pem

Happy Splunking!

Using Self Signed SSL Certs on Index Servers

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...