Security

Where can I find a copy of the default SSL certs shipped with 6.3?

weeb
Splunk Employee
Splunk Employee

Where can I find a copy of the default certs shipped with 6.3? My default certs expired for 6.1, 6.2, and I need to deal with this ASAP.

1 Solution

weeb
Splunk Employee
Splunk Employee

The files are available here: https://splunk.box.com/s/dqylhnq48vmobb46jjcj475mzyu7rv90

THe FAQ sent by Splunk for expiry on July 21, 2016:

Dear Splunker,

Enclosed are remediation steps for the expiration of default certs shipped
with Splunk 6.2 and earlier.

Please let us know if these steps were helpful.

SUMMARY OF THE ISSUE

In a nutshell, default certificates shipped with 6.2 and earlier versions
of Splunk have expired and will affect communications between Splunk
components:

  1. HTTPS - between browser and Splunk will fail if the following is set:
    webconf: EnableSplunkWebSSL, confirm default certs are targeted in
    privKeyPath and caCertPath. See workflows provided. You will want to swap
    out the default certs (download at link below) or run the s-renewalcerts scripts.

  2. UF and IDX - This will fail IF SSL is set for the type of connection
    between the forwarder and indexers. FYI, dire error messages will be
    written to logs even if communications between fwd-idx are working just
    fine. You will want to swap out the default certs (download at link below) or run the
    s-renewalcerts scripts.

  3. Most Everything else (Deployment Server - Deployment Client, License
    Master to License Slave, Distributed Search Server-Client, Search Head to
    Search Peers) will be able to be turned off with the following flags:

Forwarder (client)
sslVerifyServerCert = false

Indexer (server)
requireClientCert = false


First Response FAQ


Q: Am I using SSL to encrypt between the forwarder and indexer?
A: Run this search on the indexer and a true result will confirm use of
SSL to encrypt communications between the forwarders and indexers indicated.

index=_internal source=metrics.log group=tcpin_connections | dedup
hostname | table hostname sourceIp fwdType version destPort ssl

If the results are false, forwarder - index traffic will not fail.


Q: How do I check the expiration for all certs on the customer's system?
A: A quick way to check all expiration dates for all certs under
$SPLUNK_HOME/etc:

$SPLUNK_HOME/etc/$ find ./ -name '*.pem' -exec openssl x509 -in '{}'
-noout -enddate \;


Q: What are my options for immediate remediation?

A: Run the script provided in the advisory.
The advisory:

https://answers.splunk.com/answers/395886/for-splunk-enterprise-splunk-lig
ht-and-hunk-pre-63.html

Or, manually swap out the expired default certs with default certs
provided here:

https://splunk.box.com/s/dqylhnq48vmobb46jjcj475mzyu7rv90

See steps below.


Q: What if I can't get the script to work? Do we have manual
steps?
A: Yes. Here they are:
1) Stop Splunk
2) Back up (note permissions/ownership, very important!!) and then remove:

· ./etc/auth/ca.pem

· ./etc/auth/cacert.pem

· ./etc/auth/server.pem
3) Copy over the new versions of the following from

https://splunk.box.com/s/dqylhnq48vmobb46jjcj475mzyu7rv90

· ./etc/auth/ca.pem

· ./etc/auth/cacert.pem

· Do not copy over server.pem
4) Confirm permissions and ownership of 3).
5) Restart Splunk.
A new server.pem is generated. You're done.


Q: How can I tell which SSL parameters have been set in my
configuration files?

A: We recommend using btool along with grep
splunk btool server list --debug | grep blargh
Check for:
[sslConfig]
enableSplunkdSSL = true
caCertFile = cacert.pem
caPath = $SPLUNK_HOME/etc/auth
sslVerifyServerCert = true
splunk btool outputs list --debug
[tcpout:splunkssl]
sslCertPath = $SPLUNK_HOME/etc/auth/server.pems
RootCAPath = $SPLUNK_HOME/etc/auth/cacert.pem
splunk btool inputs list --debug
[SSL]
rootCA = $SPLUNK_HOME/etc/auth/cacert.pem
serverCert = $SPLUNK_HOME/etc/auth/server.pem

[splunktcp-ssl:]

Additional Resources

The advisory:
https://answers.splunk.com/answers/395886/for-splunk-enterprise-splunk-light-and-hunk-pre-63.html

Download the script:
http://download.splunk.com/products/certificates/renewcerts-2016-05-05.zip

Splunk Wikis:
http://wiki.splunk.com/Community:SplunkWeb_SSL_DefaultCerts
http://wiki.splunk.com/Community:Splunk2Splunk_SSL_DefaultCerts

Thank you,

The Global Customer Support Team

View solution in original post

weeb
Splunk Employee
Splunk Employee

The files are available here: https://splunk.box.com/s/dqylhnq48vmobb46jjcj475mzyu7rv90

THe FAQ sent by Splunk for expiry on July 21, 2016:

Dear Splunker,

Enclosed are remediation steps for the expiration of default certs shipped
with Splunk 6.2 and earlier.

Please let us know if these steps were helpful.

SUMMARY OF THE ISSUE

In a nutshell, default certificates shipped with 6.2 and earlier versions
of Splunk have expired and will affect communications between Splunk
components:

  1. HTTPS - between browser and Splunk will fail if the following is set:
    webconf: EnableSplunkWebSSL, confirm default certs are targeted in
    privKeyPath and caCertPath. See workflows provided. You will want to swap
    out the default certs (download at link below) or run the s-renewalcerts scripts.

  2. UF and IDX - This will fail IF SSL is set for the type of connection
    between the forwarder and indexers. FYI, dire error messages will be
    written to logs even if communications between fwd-idx are working just
    fine. You will want to swap out the default certs (download at link below) or run the
    s-renewalcerts scripts.

  3. Most Everything else (Deployment Server - Deployment Client, License
    Master to License Slave, Distributed Search Server-Client, Search Head to
    Search Peers) will be able to be turned off with the following flags:

Forwarder (client)
sslVerifyServerCert = false

Indexer (server)
requireClientCert = false


First Response FAQ


Q: Am I using SSL to encrypt between the forwarder and indexer?
A: Run this search on the indexer and a true result will confirm use of
SSL to encrypt communications between the forwarders and indexers indicated.

index=_internal source=metrics.log group=tcpin_connections | dedup
hostname | table hostname sourceIp fwdType version destPort ssl

If the results are false, forwarder - index traffic will not fail.


Q: How do I check the expiration for all certs on the customer's system?
A: A quick way to check all expiration dates for all certs under
$SPLUNK_HOME/etc:

$SPLUNK_HOME/etc/$ find ./ -name '*.pem' -exec openssl x509 -in '{}'
-noout -enddate \;


Q: What are my options for immediate remediation?

A: Run the script provided in the advisory.
The advisory:

https://answers.splunk.com/answers/395886/for-splunk-enterprise-splunk-lig
ht-and-hunk-pre-63.html

Or, manually swap out the expired default certs with default certs
provided here:

https://splunk.box.com/s/dqylhnq48vmobb46jjcj475mzyu7rv90

See steps below.


Q: What if I can't get the script to work? Do we have manual
steps?
A: Yes. Here they are:
1) Stop Splunk
2) Back up (note permissions/ownership, very important!!) and then remove:

· ./etc/auth/ca.pem

· ./etc/auth/cacert.pem

· ./etc/auth/server.pem
3) Copy over the new versions of the following from

https://splunk.box.com/s/dqylhnq48vmobb46jjcj475mzyu7rv90

· ./etc/auth/ca.pem

· ./etc/auth/cacert.pem

· Do not copy over server.pem
4) Confirm permissions and ownership of 3).
5) Restart Splunk.
A new server.pem is generated. You're done.


Q: How can I tell which SSL parameters have been set in my
configuration files?

A: We recommend using btool along with grep
splunk btool server list --debug | grep blargh
Check for:
[sslConfig]
enableSplunkdSSL = true
caCertFile = cacert.pem
caPath = $SPLUNK_HOME/etc/auth
sslVerifyServerCert = true
splunk btool outputs list --debug
[tcpout:splunkssl]
sslCertPath = $SPLUNK_HOME/etc/auth/server.pems
RootCAPath = $SPLUNK_HOME/etc/auth/cacert.pem
splunk btool inputs list --debug
[SSL]
rootCA = $SPLUNK_HOME/etc/auth/cacert.pem
serverCert = $SPLUNK_HOME/etc/auth/server.pem

[splunktcp-ssl:]

Additional Resources

The advisory:
https://answers.splunk.com/answers/395886/for-splunk-enterprise-splunk-light-and-hunk-pre-63.html

Download the script:
http://download.splunk.com/products/certificates/renewcerts-2016-05-05.zip

Splunk Wikis:
http://wiki.splunk.com/Community:SplunkWeb_SSL_DefaultCerts
http://wiki.splunk.com/Community:Splunk2Splunk_SSL_DefaultCerts

Thank you,

The Global Customer Support Team

View solution in original post

Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!