Security

Why am I no longer able to access SSO and Echo debug pages with 403 errors in Splunk 6.3?

Path Finder

I've confirmed using an out-of-box install that I'm no longer able to access these pages:

How do I enable these pages?

1 Solution

Splunk Employee
Splunk Employee

In order to access this end point, two things must be in place. First, the role that is accessing this end point must have the following capability:

[capability::web_debug]

This is configured in authorize.conf and the admin role has this by default. The second requirement, which was introduced in 6.3, in web.conf the following setting must be set to true:

enableWebDebug = true|false
- Controls the visibility of the debug endpoints (i.e., /debug/
splat).
- Defaults to false

If you browse to http://localhost:8000/en-US/info/ you will find the Development Services page where it will describe this new access requirement.
It is my understanding that this change was introduced for security purposes.

Jacob
Sr. Technical Support Engineer

View solution in original post

Splunk Employee
Splunk Employee

In order to access this end point, two things must be in place. First, the role that is accessing this end point must have the following capability:

[capability::web_debug]

This is configured in authorize.conf and the admin role has this by default. The second requirement, which was introduced in 6.3, in web.conf the following setting must be set to true:

enableWebDebug = true|false
- Controls the visibility of the debug endpoints (i.e., /debug/
splat).
- Defaults to false

If you browse to http://localhost:8000/en-US/info/ you will find the Development Services page where it will describe this new access requirement.
It is my understanding that this change was introduced for security purposes.

Jacob
Sr. Technical Support Engineer

View solution in original post

Path Finder

This worked, thank you!

Updating enableWebDebug = true in web.conf is all that is needed to expose the /debug/sso and /debug/echo endpoints, and updating the role with the web_debug capability in authorize.conf only applies to some of the debug endpoints (e.g. /debug/refresh and /_bump, according to the info page that you cited).

0 Karma

Ultra Champion
0 Karma

Engager

Yeah, we're working on our 6.3 upgrade and SSO isn't functional, and we have no ability to debug why. Very, very frustrating.

0 Karma

Path Finder

Right, 6.3 doesn't appear to break SSO itself, but I heavily rely on this page for testing/confirming it.

0 Karma