Our queries that used to work stopped working with error:
Error in 'script': Getinfo probe failed for external search command 'dbquery'
In jbridge log saw this error:
2015-02-06 11:02:14,660 ERROR Java process returned error code 1! Error: Initializing Splunk context... Environment: SplunkEnvironment{SPLUNK_HOME=/splunk,SPLUNK_DB=/splunk/var/lib/splunk} Configuring Log4j... Exception in thread "main" com.splunk.config.SplunkConfigurationException: IO Error while reading configuration from Splunkd: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate) at com.splunk.config.rest.RESTAdapter.request(RESTAdapter.java:195) at com.splunk.config.rest.RESTAdapter.readConfig(RESTAdapter.java:203) at com.splunk.config.cache.CachedConfigurationAdapter.readConfig(CachedConfigurationAdapter.java:32) at com.splunk.config.cache.CachedConfigurationAdapter.readStanza(CachedConfigurationAdapter.java:40) at com.splunk.env.SplunkContext.getConfigStanza(SplunkContext.java:313) at com.splunk.env.SplunkContext.initialize(SplunkContext.java:128) at com.splunk.bridge.JavaBridgeServer.main(JavaBridgeServer.java:34) Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate) at sun.security.ssl.Handshaker.activate(Handshaker.java:470) at sun.security.ssl.SSLSocketImpl.kickstartHandshake(SSLSocketImpl.java:1438) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1308) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.jav... at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153) at com.splunk.rest.Splunkd.request(Splunkd.java:212) at com.splunk.rest.Splunkd.request(Splunkd.java:98) at com.splunk.config.rest.RESTAdapter.request(RESTAdapter.java:193)
Was able to find the start of this entry, and it correlated with a System Update and restart:
Splunk 6.1.4
OS was upgraded Oracle Linux
Patched the 1.7.0 version of java.
In the DBX app under ../local/java.conf it points to version of java being used in my case:
home = /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.65.x86_64/
The file below had a line we commented out:
/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.65.x86_64/jre/lib/security/java.security
jdk.tls.disabledAlgorithms=SSLv3
to
no restart required.
An extension to this solution if you don't want to depend on your system administrator and Linux patching cycles:
1) create the file /opt/splunk/etc/apps/dbx/local/java.security with only the same attribute but empty value:
jdk.tls.disabledAlgorithms=
2) add the following option to the start-up options of DBconnect:
-Djava.security.properties=/opt/splunk/etc/apps/dbx/local/java.security
Also no restart required and you don't have to worry about the next Linux patching cycle (at least not for this issue). The only pittfall is that the default java.security file in your JRE directory should have the following option set to true (default): security.overridePropertiesFile
In jbridge log saw this error:
2015-02-06 11:02:14,660 ERROR Java process returned error code 1! Error: Initializing Splunk context... Environment: SplunkEnvironment{SPLUNK_HOME=/splunk,SPLUNK_DB=/splunk/var/lib/splunk} Configuring Log4j... Exception in thread "main" com.splunk.config.SplunkConfigurationException: IO Error while reading configuration from Splunkd: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate) at com.splunk.config.rest.RESTAdapter.request(RESTAdapter.java:195) at com.splunk.config.rest.RESTAdapter.readConfig(RESTAdapter.java:203) at com.splunk.config.cache.CachedConfigurationAdapter.readConfig(CachedConfigurationAdapter.java:32) at com.splunk.config.cache.CachedConfigurationAdapter.readStanza(CachedConfigurationAdapter.java:40) at com.splunk.env.SplunkContext.getConfigStanza(SplunkContext.java:313) at com.splunk.env.SplunkContext.initialize(SplunkContext.java:128) at com.splunk.bridge.JavaBridgeServer.main(JavaBridgeServer.java:34) Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate) at sun.security.ssl.Handshaker.activate(Handshaker.java:470) at sun.security.ssl.SSLSocketImpl.kickstartHandshake(SSLSocketImpl.java:1438) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1308) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.jav... at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153) at com.splunk.rest.Splunkd.request(Splunkd.java:212) at com.splunk.rest.Splunkd.request(Splunkd.java:98) at com.splunk.config.rest.RESTAdapter.request(RESTAdapter.java:193)
Was able to find the start of this entry, and it correlated with a System Update and restart:
Splunk 6.1.4
OS was upgraded Oracle Linux
Patched the 1.7.0 version of java.
In the DBX app under ../local/java.conf it points to version of java being used in my case:
home = /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.65.x86_64/
The file below had a line we commented out:
/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.65.x86_64/jre/lib/security/java.security
jdk.tls.disabledAlgorithms=SSLv3
to
no restart required.
yes, commenting out SSLv3 from Java.security file worked!
thank you very much!!!!!
Thanks! This fixed my issue as well