Security

Why am I no longer able to access SSO and Echo debug pages with 403 errors in Splunk 6.3?

mkolkebeck
Path Finder

I've confirmed using an out-of-box install that I'm no longer able to access these pages:

How do I enable these pages?

1 Solution

jcrabb_splunk
Splunk Employee
Splunk Employee

In order to access this end point, two things must be in place. First, the role that is accessing this end point must have the following capability:

[capability::web_debug]

This is configured in authorize.conf and the admin role has this by default. The second requirement, which was introduced in 6.3, in web.conf the following setting must be set to true:

enableWebDebug = true|false
- Controls the visibility of the debug endpoints (i.e., /debug/
splat).
- Defaults to false

If you browse to http://localhost:8000/en-US/info/ you will find the Development Services page where it will describe this new access requirement.
It is my understanding that this change was introduced for security purposes.

Jacob
Sr. Technical Support Engineer

View solution in original post

jcrabb_splunk
Splunk Employee
Splunk Employee

In order to access this end point, two things must be in place. First, the role that is accessing this end point must have the following capability:

[capability::web_debug]

This is configured in authorize.conf and the admin role has this by default. The second requirement, which was introduced in 6.3, in web.conf the following setting must be set to true:

enableWebDebug = true|false
- Controls the visibility of the debug endpoints (i.e., /debug/
splat).
- Defaults to false

If you browse to http://localhost:8000/en-US/info/ you will find the Development Services page where it will describe this new access requirement.
It is my understanding that this change was introduced for security purposes.

Jacob
Sr. Technical Support Engineer

mkolkebeck
Path Finder

This worked, thank you!

Updating enableWebDebug = true in web.conf is all that is needed to expose the /debug/sso and /debug/echo endpoints, and updating the role with the web_debug capability in authorize.conf only applies to some of the debug endpoints (e.g. /debug/refresh and /_bump, according to the info page that you cited).

0 Karma

sloshburch
Splunk Employee
Splunk Employee
0 Karma

sullivanmatt
Engager

Yeah, we're working on our 6.3 upgrade and SSO isn't functional, and we have no ability to debug why. Very, very frustrating.

0 Karma

mkolkebeck
Path Finder

Right, 6.3 doesn't appear to break SSO itself, but I heavily rely on this page for testing/confirming it.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...