Security

https authentication

sarit_s
Communicator

Hello
im trying to enable https on my server.
im getting the "splunk https site not secure" msg.
also the ssl is enabled under server settings

this is my web.conf file:

[settings]
enableSplunkWebSSL = true

privKeyPath = /opt/splunk/etc/auth/wildkey.key

serverCert = /opt/splunk/etc/auth/wildkey.pem

httpport = 8000

when removing the remarks from the rows splunk does not starts
what im doint wrong ?

0 Karma

DavidHourani
Super Champion

Hi @sarit_s,

Hope you're well, to enable https without your own certs use this :

[settings] 
enableSplunkWebSSL = true 

If you want to add your own certs please follow this guide step by step to be sure you're not missing anything :
https://docs.splunk.com/Documentation/Splunk/7.2.6/Security/SecureSplunkWebusingasignedcertificate

And here is the documentation for creating your own certs for Splunk :
https://docs.splunk.com/Documentation/Splunk/7.2.6/Security/AboutcreatingcertificatesforSplunk

Please let me know if you're stuck anywhere.

Cheers,
David

0 Karma

sarit_s
Communicator

Hi David,
thanks
this is exactly what i did but when trying to start splunk the service is up and web not starts

0 Karma

DavidHourani
Super Champion

you added this and it's not working ?

[settings]
enableSplunkWebSSL = true

0 Karma

DavidHourani
Super Champion

Please check what errors you're getting in /opt/splunk/var/log/splunk/splunkd.log and post it here, we should be able to solve the problem with that

0 Karma

sarit_s
Communicator

this is what i see:

HttpListener - Socket error from 10.11.44.171:65337 while idling: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown

SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read finished A', alert_description='certificate unknown'.

SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client key exchange A', alert_description='certificate unknown'.

X509Verify - X509 certificate (O=SplunkUser,CN=usnv02splunk01) should not be used, as it is issued by Splunk's own default Certificate Authority (CA). This puts your Splunk instance at very high-risk of the MITM attack. Either commercial-CA-signed or self-CA-signed certificates must be used; see:

0 Karma

DavidHourani
Super Champion

Check if anything is pointing to Splunk's default certs and make sure that your certs are the ones that Splunk is pointing to :
$SPLUNK_HOME/bin/splunk cmd btool inputs list --debug
$SPLUNK_HOME/bin/splunk cmd btool outputs list --debug
$SPLUNK_HOME/bin/splunk cmd btool server list --debug

0 Karma

sarit_s
Communicator

i see this:
/opt/splunk/etc/system/default/server.conf serverCert = $SPLUNK_HOME/etc/auth/server.pem

/opt/splunk/etc/system/default/server.conf caCertFile = $SPLUNK_HOME/etc/auth/cacert.pem

/opt/splunk/etc/system/default/server.conf caCertFile = $SPLUNK_HOME/etc/auth/appsLicenseCA.pem

0 Karma

DavidHourani
Super Champion

these are the defaults right ? Did you try replacing with you own files ?

0 Karma

sarit_s
Communicator

no.. should i ?
the defaults is not for examples ?

0 Karma

DavidHourani
Super Champion

If you uncommented this then you should be using your own set of keys :

#privKeyPath = /opt/splunk/etc/auth/wildkey.key 
#serverCert = /opt/splunk/etc/auth/wildkey.pem 
0 Karma

sarit_s
Communicator

this is what im trying to do but when im uncommented it splunk web does not start

0 Karma

sarit_s
Communicator

it is working. it was a problem with the cert file

0 Karma

DavidHourani
Super Champion

haha... that explains the alert_description='certificate unknown'. 😄 good job !

0 Karma

sarit_s
Communicator

thanks David for all your help !

0 Karma

DavidHourani
Super Champion

most welcome ! Please upvote or accept if it's helpful ! ^^

0 Karma

koshyk
Super Champion

Please try web.conf with following settings. Also ensure the certs are "generated by Valid authority" for browser to identify. The self-signed certs may show errors depending on the browser
I'm guessing your wildkey.key format may be incorrect or is encrypted?

web.conf

[settings]
enableSplunkWebSSL = true
# absolute paths may be used here. and pem format for priv keys
privKeyPath = $SPLUNK_HOME/etc/auth/myprivatekey.pem
serverCert = $SPLUNK_HOME/etc/auth/mycacert.pem
sslPassword = <password_if_key_is_encrypted>

Your server.conf also needs sslConfig setup

0 Karma

sarit_s
Communicator

thanks
this is the config i have is server.conf

[sslConfig]
sslPassword =

what pass is it , do you know ? should i change it ?

also, can you please guide me how to create the certificate so it will be acceptable by the browser ? it is not me who creates the certs and i want to guide the relevant guy

0 Karma

koshyk
Super Champion

certificate needs to be created by authorised authority , if it has to be valid in a browser. Please have a read on: https://en.wikipedia.org/wiki/Certificate_authority . . Your organisation may already have a team to do this and liase with a Certificate Authority (CA) already

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...