Security

Why is DB Connect is no longer able to run searches with error "Getinfo probe failed for external search command 'dbquery'"?

jwelch_splunk
Splunk Employee
Splunk Employee

Our queries that used to work stopped working with error:

Error in 'script': Getinfo probe failed for external search command 'dbquery'

Tags (1)
1 Solution

jwelch_splunk
Splunk Employee
Splunk Employee

In jbridge log saw this error:

2015-02-06 11:02:14,660 ERROR Java process returned error code 1! Error: Initializing Splunk context... Environment: SplunkEnvironment{SPLUNK_HOME=/splunk,SPLUNK_DB=/splunk/var/lib/splunk} Configuring Log4j... Exception in thread "main" com.splunk.config.SplunkConfigurationException: IO Error while reading configuration from Splunkd: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate) at com.splunk.config.rest.RESTAdapter.request(RESTAdapter.java:195) at com.splunk.config.rest.RESTAdapter.readConfig(RESTAdapter.java:203) at com.splunk.config.cache.CachedConfigurationAdapter.readConfig(CachedConfigurationAdapter.java:32) at com.splunk.config.cache.CachedConfigurationAdapter.readStanza(CachedConfigurationAdapter.java:40) at com.splunk.env.SplunkContext.getConfigStanza(SplunkContext.java:313) at com.splunk.env.SplunkContext.initialize(SplunkContext.java:128) at com.splunk.bridge.JavaBridgeServer.main(JavaBridgeServer.java:34) Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate) at sun.security.ssl.Handshaker.activate(Handshaker.java:470) at sun.security.ssl.SSLSocketImpl.kickstartHandshake(SSLSocketImpl.java:1438) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1308) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.jav... at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153) at com.splunk.rest.Splunkd.request(Splunkd.java:212) at com.splunk.rest.Splunkd.request(Splunkd.java:98) at com.splunk.config.rest.RESTAdapter.request(RESTAdapter.java:193)

Was able to find the start of this entry, and it correlated with a System Update and restart:

Splunk 6.1.4
OS was upgraded Oracle Linux
Patched the 1.7.0 version of java.

In the DBX app under ../local/java.conf it points to version of java being used in my case:

home = /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.65.x86_64/

The file below had a line we commented out:
/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.65.x86_64/jre/lib/security/java.security

jdk.tls.disabledAlgorithms=SSLv3
to

jdk.tls.disabledAlgorithms=SSLv3

no restart required.

View solution in original post

ehorjus
Explorer

An extension to this solution if you don't want to depend on your system administrator and Linux patching cycles:

1) create the file /opt/splunk/etc/apps/dbx/local/java.security with only the same attribute but empty value:
jdk.tls.disabledAlgorithms=

2) add the following option to the start-up options of DBconnect:
-Djava.security.properties=/opt/splunk/etc/apps/dbx/local/java.security

Also no restart required and you don't have to worry about the next Linux patching cycle (at least not for this issue). The only pittfall is that the default java.security file in your JRE directory should have the following option set to true (default): security.overridePropertiesFile

0 Karma

jwelch_splunk
Splunk Employee
Splunk Employee

In jbridge log saw this error:

2015-02-06 11:02:14,660 ERROR Java process returned error code 1! Error: Initializing Splunk context... Environment: SplunkEnvironment{SPLUNK_HOME=/splunk,SPLUNK_DB=/splunk/var/lib/splunk} Configuring Log4j... Exception in thread "main" com.splunk.config.SplunkConfigurationException: IO Error while reading configuration from Splunkd: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate) at com.splunk.config.rest.RESTAdapter.request(RESTAdapter.java:195) at com.splunk.config.rest.RESTAdapter.readConfig(RESTAdapter.java:203) at com.splunk.config.cache.CachedConfigurationAdapter.readConfig(CachedConfigurationAdapter.java:32) at com.splunk.config.cache.CachedConfigurationAdapter.readStanza(CachedConfigurationAdapter.java:40) at com.splunk.env.SplunkContext.getConfigStanza(SplunkContext.java:313) at com.splunk.env.SplunkContext.initialize(SplunkContext.java:128) at com.splunk.bridge.JavaBridgeServer.main(JavaBridgeServer.java:34) Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate) at sun.security.ssl.Handshaker.activate(Handshaker.java:470) at sun.security.ssl.SSLSocketImpl.kickstartHandshake(SSLSocketImpl.java:1438) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1308) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.jav... at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153) at com.splunk.rest.Splunkd.request(Splunkd.java:212) at com.splunk.rest.Splunkd.request(Splunkd.java:98) at com.splunk.config.rest.RESTAdapter.request(RESTAdapter.java:193)

Was able to find the start of this entry, and it correlated with a System Update and restart:

Splunk 6.1.4
OS was upgraded Oracle Linux
Patched the 1.7.0 version of java.

In the DBX app under ../local/java.conf it points to version of java being used in my case:

home = /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.65.x86_64/

The file below had a line we commented out:
/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.65.x86_64/jre/lib/security/java.security

jdk.tls.disabledAlgorithms=SSLv3
to

jdk.tls.disabledAlgorithms=SSLv3

no restart required.

adaley
New Member

yes, commenting out SSLv3 from Java.security file worked!
thank you very much!!!!!

0 Karma

rkirkw
Path Finder

Thanks! This fixed my issue as well

Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...