Security

https authentication

Path Finder

Hello
im trying to enable https on my server.
im getting the "splunk https site not secure" msg.
also the ssl is enabled under server settings

this is my web.conf file:

[settings]
enableSplunkWebSSL = true

privKeyPath = /opt/splunk/etc/auth/wildkey.key

serverCert = /opt/splunk/etc/auth/wildkey.pem

httpport = 8000

when removing the remarks from the rows splunk does not starts
what im doint wrong ?

0 Karma

SplunkTrust
SplunkTrust

Hi @sarit_s,

Hope you're well, to enable https without your own certs use this :

[settings] 
enableSplunkWebSSL = true 

If you want to add your own certs please follow this guide step by step to be sure you're not missing anything :
https://docs.splunk.com/Documentation/Splunk/7.2.6/Security/SecureSplunkWebusingasignedcertificate

And here is the documentation for creating your own certs for Splunk :
https://docs.splunk.com/Documentation/Splunk/7.2.6/Security/AboutcreatingcertificatesforSplunk

Please let me know if you're stuck anywhere.

Cheers,
David

0 Karma

Path Finder

Hi David,
thanks
this is exactly what i did but when trying to start splunk the service is up and web not starts

0 Karma

SplunkTrust
SplunkTrust

you added this and it's not working ?

[settings]
enableSplunkWebSSL = true

0 Karma

SplunkTrust
SplunkTrust

Please check what errors you're getting in /opt/splunk/var/log/splunk/splunkd.log and post it here, we should be able to solve the problem with that

0 Karma

Path Finder

this is what i see:

HttpListener - Socket error from 10.11.44.171:65337 while idling: error:14094416:SSL routines:ssl3readbytes:sslv3 alert certificate unknown

SSLCommon - Received fatal SSL3 alert. sslstate='SSLv3 read finished A', alertdescription='certificate unknown'.

SSLCommon - Received fatal SSL3 alert. sslstate='SSLv3 read client key exchange A', alertdescription='certificate unknown'.

X509Verify - X509 certificate (O=SplunkUser,CN=usnv02splunk01) should not be used, as it is issued by Splunk's own default Certificate Authority (CA). This puts your Splunk instance at very high-risk of the MITM attack. Either commercial-CA-signed or self-CA-signed certificates must be used; see:

0 Karma

SplunkTrust
SplunkTrust

Check if anything is pointing to Splunk's default certs and make sure that your certs are the ones that Splunk is pointing to :
$SPLUNKHOME/bin/splunk cmd btool inputs list --debug
$SPLUNK
HOME/bin/splunk cmd btool outputs list --debug
$SPLUNK_HOME/bin/splunk cmd btool server list --debug

0 Karma

Path Finder

i see this:
/opt/splunk/etc/system/default/server.conf serverCert = $SPLUNK_HOME/etc/auth/server.pem

/opt/splunk/etc/system/default/server.conf caCertFile = $SPLUNK_HOME/etc/auth/cacert.pem

/opt/splunk/etc/system/default/server.conf caCertFile = $SPLUNK_HOME/etc/auth/appsLicenseCA.pem

0 Karma

SplunkTrust
SplunkTrust

these are the defaults right ? Did you try replacing with you own files ?

0 Karma

Path Finder

no.. should i ?
the defaults is not for examples ?

0 Karma

SplunkTrust
SplunkTrust

If you uncommented this then you should be using your own set of keys :

#privKeyPath = /opt/splunk/etc/auth/wildkey.key 
#serverCert = /opt/splunk/etc/auth/wildkey.pem 
0 Karma

Path Finder

this is what im trying to do but when im uncommented it splunk web does not start

0 Karma

Path Finder

it is working. it was a problem with the cert file

0 Karma

SplunkTrust
SplunkTrust

haha... that explains the alert_description='certificate unknown'. 😄 good job !

0 Karma

Path Finder

thanks David for all your help !

0 Karma

SplunkTrust
SplunkTrust

most welcome ! Please upvote or accept if it's helpful ! ^^

0 Karma

Super Champion

Please try web.conf with following settings. Also ensure the certs are "generated by Valid authority" for browser to identify. The self-signed certs may show errors depending on the browser
I'm guessing your wildkey.key format may be incorrect or is encrypted?

web.conf

[settings]
enableSplunkWebSSL = true
# absolute paths may be used here. and pem format for priv keys
privKeyPath = $SPLUNK_HOME/etc/auth/myprivatekey.pem
serverCert = $SPLUNK_HOME/etc/auth/mycacert.pem
sslPassword = <password_if_key_is_encrypted>

Your server.conf also needs sslConfig setup

0 Karma

Path Finder

thanks
this is the config i have is server.conf

[sslConfig]
sslPassword =

what pass is it , do you know ? should i change it ?

also, can you please guide me how to create the certificate so it will be acceptable by the browser ? it is not me who creates the certs and i want to guide the relevant guy

0 Karma

Super Champion

certificate needs to be created by authorised authority , if it has to be valid in a browser. Please have a read on: https://en.wikipedia.org/wiki/Certificate_authority . . Your organisation may already have a team to do this and liase with a Certificate Authority (CA) already

0 Karma