Security

Why is X509 certificate default using warning?

mommyfixit
Loves-to-Learn

Our Splunk rep walked us through setting up SSL for our Splunk server communication with each other and for our Universal Forwarders to connect to our Indexer. However, we still get the warning X509 certificate (O=SplunkUser,CN=SplunkServerDefaultCert) should not be used, as it is issued by Splunk's own default Certificate Authority (CA)

In addition, Nessus scans find the default Splunk certificate on all of the systems with Universal Forwarders.

We have SSL certificates created by our government agency's CA.

I have verified that our indexer's server.conf is pointing sslRootCAPath to our CA's pem.

I have verified that our indexer's inputs.conf is pointing serverCert at our server's pem.

I have verified that our universal forwarders' outputs.conf have clientCert pointing at our server's pem, which is located on each system in C:\Program Files\SplunkUniversalForwarder\etc\auth.

I have verified that our universal forwarders' outputs.conf have sslRootCAPath pointing at our CA's pem, which is located on each system in C:\Program Files\SplunkUniversalForwarder\etc\auth.

Why do we still get this warning? Are we missing a setting somewhere?

Labels (1)
Tags (2)
0 Karma

kknair007
Observer

@mommyfixit  By the way, are you getting the cert error on GUI or at the backend. Please ensure the settings mentioned in the below link is intact. 

One point, ensure EnableSSL=true setting in web.conf if you're getting the error in GUI.

https://docs.splunk.com/Documentation/Splunk/9.0.1/Security/ConfigureSplunkforwardingtousesignedcert...

Just trying to help. Thanks.

 

0 Karma

maraman_splunk
Splunk Employee
Splunk Employee

Hi,

where do you get this error ? indexers ? Universal forwarders ? What about other components like sh, cm,...?

On the uf, you should have done configuration in server.conf to change the trusted CA to your and usually provide a throwaway uf certificate

On the indexer, you dont say that you configured the server cert in server.conf. Is that done ? (server.conf -> [sslConfig] -> serverCert )

Obviously, you need to do the same on all other components (sh, ...) as that will change the certificate for splunk management communications on port 8089

 

0 Karma

mommyfixit
Loves-to-Learn

We are getting this error on the Universal Forwards on Windows endpoints. Our rep didn't mention a server.conf on the endpoints...would that go in our forwarder outputs app? We configured the certs in outputs.conf, but there is no server.conf in that app.

Yes, on the Indexer, we have server.conf configured with:
enableSplunkdSSL = true
serverCert = (our indexer's cert)

sslRootCAPath = (our server chain)

0 Karma

maraman_splunk
Splunk Employee
Splunk Employee

So it works as expected.

 

If you configure only outputs, you change what is used to send data but not the CA Splunk software trust internally.

For this you need to configure in server.conf

I would not put this in a output app but probably create a app for uf specific custom configuration

 

Once you have server.conf configured, you may simplified outputs configuration when the TLS configuration is the same (as it will use server.conf first)

0 Karma

mommyfixit
Loves-to-Learn

I went onto one of the Universal Forwarders and modified server.conf with the following:

[sslConfig]

enableSplunkdSSL = true

sslVersions = tls1.2

sslVerifyServerCert = true

sslCommonNameToCheck = (indexer server name)

clientCert = (path to indexer certificate)

sslRootCAPath = (path to indexer chain cert)

 

This didn't make any difference. Same error message.  The forwarder still works, but it is still giving me that message. Did I configure the right settings? Should the server.conf on the universal forwarders be a copy of the server.conf on the indexer, or is there something different between the two?

0 Karma

mommyfixit
Loves-to-Learn

Actually, although it is still sending events to the indexer, and the error is still there, it has quit communicating with the management server. So configuring server.conf the way I just did was definitely the wrong solution. I added the name of the management server to sslCommonNameToCheck and removed clientCert (since it had the indexer's cert path in there). This didn't help - I'm going to have to put server.conf back the way it was so it starts communicating with the management server again.

I'm going to need some very specific guidance to get this working. Thanks!

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

How you have checked those values, just looking from those files or using btool? If the 1st one then I propose you to use btool to ensure that those files&configs are those which splunk is using.

splunk btool server list --debug|egrep  '(SSL|Cert|CA|ssl)'

And same for other files like inputs, outputs (just replace server on above command).

That shows to you from which file splunk get those values and what those are.

r. Ismo 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...