Security

Where to add certificate info for port 8089?

skoelpin
SplunkTrust
SplunkTrust

I added a signed certificate from InfoSec to our Splunk indexer and currently pointing to that .pem and .key file in /etc/system/local/web.conf.. He scanned it with the nessus scanner and says the Splunk signed cert is still showing up on port 8089. So what .conf file should I add the stanza below so I can pick up the signed cert rather than default to Splunks self signed cert?

Here is my current stanza under web.conf

[settings]
enableSplunkWebSSL = 1
privKeyPath = /opt/splunk/etc/auth/splunkweb/mySplunkWebPrivateKey.key
caCertPath = /opt/splunk/etc/auth/splunkweb/splunk-emc01.pem
sslVersions = tls1.1, tls1.2
0 Karma
1 Solution

skoelpin
SplunkTrust
SplunkTrust

Yes I did.. I went ahead and disabled port 8089 so we can pass the security scan and get Splunk going so it's not shelved for a custom in-house product. From my understanding, we will lose functionality of the DS and connecting to the Splunk API without port 8089 enabled. What other downsides are there for not having the management port open?

View solution in original post

dwaddle
SplunkTrust
SplunkTrust

For the total picture when it comes to configuring SSL, I would humbly pitch the talk that @starcher and I put together long ago and have given many times over now.

The latest version was the April 2016 Splunk Trust virtual.conf -- http://wiki.splunk.com/Virtual_.conf
Or you can get last year's .conf recordings -- http://conf.splunk.com/session/2015/recordings/2015-splunk-115.mp4
http://conf.splunk.com/session/2015/conf2015_DWaddle_DefensePointSecurity_deploying_SplunkSSLBestPra...

skoelpin
SplunkTrust
SplunkTrust

Thanks for sharing. I currently have 2 outstanding SSL issues before InfoSec will certify the Splunk install.

1) I configured a signed cert from InfoSec on the Indexer and currently pointing to that signed cert in web.conf.. It's working correctly on port 8000 but its still pointing to the self-signed cert on port 8089, how can I make our Signed cert work on port 8089 too?

2) I added sslVersions = tls1.1, tls1.2 to the sslConfig stanza and it worked on port 8000, but it did not take affect on port 8089. How can I get this working on port 8089?

0 Karma

jwelch_splunk
Splunk Employee
Splunk Employee

To change the 8089 Cert you would modify your server.conf file.

http://docs.splunk.com/Documentation/Splunk/6.5.0/Security/AboutsecuringSplunktoSplunkcommunication

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Yes I did this in server.conf and it only worked on port 8000.. I need this to also work on port 8089, any ideas how to make it work with 8089 too?

Should I create a separate stanza for 8089?

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Yes I did.. I went ahead and disabled port 8089 so we can pass the security scan and get Splunk going so it's not shelved for a custom in-house product. From my understanding, we will lose functionality of the DS and connecting to the Splunk API without port 8089 enabled. What other downsides are there for not having the management port open?

Raghav2384
Motivator

Hey @skoelpin

Is the ask here to fix the 8089 vulnerability anyway or using the self signed cert only?

In general, if you want to force the cipherSuite, i would just add the following to server.conf under sslconfig stanza (This will take care of all the SSLv3 POODLE stuff)
What it doesn't take care of is XSS (Cross Site Scripting) vulnerability if you using versions older than 6.3.3 (I say 6.3.3 because that's the version has XSS patch)

supportSSLV3Only = false
cipherSuite = TLSv1.2:!eNULL:!aNULL

While you are in there, disable kvstore port 8191 if you don't need it as that will pop up in the scan results eventually.

Hope this helps!

Thanks,
Raghav

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Thanks for responding! We want to use a cert signed by InfoSec rather than using Splunks self-signed cert. I added our cert to Splunk and configured Splunk to point to the cert and its working correctly on port 8000 but looks like port 8089 is still pointing to Splunks self-signed cert. How can I make it point to our cert for port 8089? We also only want to use TLS 1.1 and 1.2

0 Karma

somesoni2
SplunkTrust
SplunkTrust

First, my bad on the port, didn't realize that it was management port. Your configuration in web.conf is for applying SSL for splunkweb, (default 8000 port), not the splunkd/management port. For that, the changes will need to go to server.conf on Indexers (and web.conf on other nodes connecting to management port of Indexers). See this for more details on those settings

http://docs.splunk.com/Documentation/Splunk/6.4.3/Security/AboutsecuringSplunktoSplunkcommunication
http://docs.splunk.com/Documentation/Splunk/6.4.3/Security/Securingyourdeploymentserverandclients

Disabling 8089 port access (in firewall rule I'm guessing), will affect Deployment server, license Master, Cluster Master, Deployer and REST API access.

skoelpin
SplunkTrust
SplunkTrust

The answer was right in front of me the whole time, I wish I read your explanation more thoroughly.
You were correct and solved my issue! To help those in the future, web.conf changes under the settings stanza will affect everything on port 8000. server.conf changes under sslConfig will affect changes on the management port 8089. You need to place the paths of the signed cert in both of the stanza's!

skoelpin
SplunkTrust
SplunkTrust

I attempted to disable port 8089 on the indexer by adding the stanza to /opt/splunk/etc/system/local/server.conf

[httpServer]
disableDefaultPort = false

But unfortunately, this also blocked port 8000 and made Splunk unusable.. So it looks like I cannot go this route.

InfoSec initially scanned the Splunk indexer and came back saying there was 3 issues which I corrected by doing the following

1) Added sslVersions = tls1.1, tls1.2 in server.conf under the ‘SSLConfig’ stanza
2) Added “allowSSLCompression = false” under the ‘SSLConfig’ stanza
3) Restarted Splunk so the signed cert from InfoSec could take affect

InfoSec then scanned it again and came back saying it passed on port 8000 this time, but now Splunks self-signed certs are showing up on port 8089 and SSL 2.0,3.0 and TLS 1.0 are showing up on port 8089 now..

So my question, how can I fix the issues on port 8089 now? I thought adding the above to server.conf would correct the issue on both 8000 and 8089?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Did you restart Splunk (of Splunk Indexe) after your made those web.conf changes?

$SPLUNK_HOME/bin/splunk restart splunkweb

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...