Security

requireClientCert kills communication between splunkweb and splunkd

dmesler
Explorer

Hello, I'm trying to configure splunk to use certs created against a new self-signed ca cert. (Ala http://answers.splunk.com/questions/7164/how-do-i-set-up-ssl-forwarding-with-new-self-signed-certifi...)

Everything seemed to be going well until I enabled "requireClientCert" in server.conf. Now the splunk web process (port 8000) is no longer able to talk to the management port (8089). I get a 503 error and "The splunkd daemon cannot be reached by splunkweb. Check that there are no blocked network ports or that splunkd is still running."

I used the createssl command to create a new server cert as well as new web certs against the new new ca.

Any help?

Tags (2)

hexx
Splunk Employee
Splunk Employee

UPDATE : This should indeed be possible as of Splunk 4.3, as long as Splunkweb and splunkd are both using certificates provided by the same Root CA. Otherwise, Splunk Web will not be able to communicate with splunkd.

Note that communication between the CLI and splunkd will still be broken.

The following only applies to versions of Splunk prior to 4.3:

At this time, Splunk Web and the Splunk CLI are unable to perform mutual SSL authentication. There simply is no way to currently configure these components to present an SSL certificate when they talk to splunkd, which is why you observe this behavior.

This has been filed as a bug and will be resolved in a future release by allowing REST calls made by Splunk Web or the CLI to splunkd to use an SSL certificate.

If you were considering to use this setting to secure a deployment server co-located with a search head, a simple work-around in your case would be to spin-off a separate splunkd instance on the same machine but using a different splunkd port to act as the deployment server. Actually, this is one of the best practices we recommend for deployment server configuration simply because deployment server traffic occurs on splunkd's management port and can be disruptive to other traffic usually more important such as distributed search.

For more details, see this topic on the Splunk wiki.

Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...