Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

requireClientCert kills communication between splunkweb and splunkd

dmesler
Explorer
‎04-12-2011 07:20 PM

Hello, I'm trying to configure splunk to use certs created against a new self-signed ca cert. (Ala http://answers.splunk.com/questions/7164/how-do-i-set-up-ssl-forwarding-with-new-self-signed-certifi...)

Everything seemed to be going well until I enabled "requireClientCert" in server.conf. Now the splunk web process (port 8000) is no longer able to talk to the management port (8089). I get a 503 error and "The splunkd daemon cannot be reached by splunkweb. Check that there are no blocked network ports or that splunkd is still running."

I used the createssl command to create a new server cert as well as new web certs against the new new ca.

Any help?

Tags (2)
Reply

hexx
Splunk Employee
Splunk Employee
‎04-15-2011 08:06 PM

UPDATE : This should indeed be possible as of Splunk 4.3, as long as Splunkweb and splunkd are both using certificates provided by the same Root CA. Otherwise, Splunk Web will not be able to communicate with splunkd.

Note that communication between the CLI and splunkd will still be broken.

The following only applies to versions of Splunk prior to 4.3:

At this time, Splunk Web and the Splunk CLI are unable to perform mutual SSL authentication. There simply is no way to currently configure these components to present an SSL certificate when they talk to splunkd, which is why you observe this behavior.

This has been filed as a bug and will be resolved in a future release by allowing REST calls made by Splunk Web or the CLI to splunkd to use an SSL certificate.

If you were considering to use this setting to secure a deployment server co-located with a search head, a simple work-around in your case would be to spin-off a separate splunkd instance on the same machine but using a different splunkd port to act as the deployment server. Actually, this is one of the best practices we recommend for deployment server configuration simply because deployment server traffic occurs on splunkd's management port and can be disruptive to other traffic usually more important such as distributed search.

For more details, see this topic on the Splunk wiki.

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...