Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

requireClientCert kills communication between splunkweb and splunkd

dmesler
Explorer
‎04-12-2011 07:20 PM

Hello, I'm trying to configure splunk to use certs created against a new self-signed ca cert. (Ala http://answers.splunk.com/questions/7164/how-do-i-set-up-ssl-forwarding-with-new-self-signed-certifi...)

Everything seemed to be going well until I enabled "requireClientCert" in server.conf. Now the splunk web process (port 8000) is no longer able to talk to the management port (8089). I get a 503 error and "The splunkd daemon cannot be reached by splunkweb. Check that there are no blocked network ports or that splunkd is still running."

I used the createssl command to create a new server cert as well as new web certs against the new new ca.

Any help?

Tags (2)
Reply

hexx
Splunk Employee
Splunk Employee
‎04-15-2011 08:06 PM

UPDATE : This should indeed be possible as of Splunk 4.3, as long as Splunkweb and splunkd are both using certificates provided by the same Root CA. Otherwise, Splunk Web will not be able to communicate with splunkd.

Note that communication between the CLI and splunkd will still be broken.

The following only applies to versions of Splunk prior to 4.3:

At this time, Splunk Web and the Splunk CLI are unable to perform mutual SSL authentication. There simply is no way to currently configure these components to present an SSL certificate when they talk to splunkd, which is why you observe this behavior.

This has been filed as a bug and will be resolved in a future release by allowing REST calls made by Splunk Web or the CLI to splunkd to use an SSL certificate.

If you were considering to use this setting to secure a deployment server co-located with a search head, a simple work-around in your case would be to spin-off a separate splunkd instance on the same machine but using a different splunkd port to act as the deployment server. Actually, this is one of the best practices we recommend for deployment server configuration simply because deployment server traffic occurs on splunkd's management port and can be disruptive to other traffic usually more important such as distributed search.

For more details, see this topic on the Splunk wiki.

Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...