Security
Highlighted

requireClientCert kills communication between splunkweb and splunkd

Explorer

Hello, I'm trying to configure splunk to use certs created against a new self-signed ca cert. (Ala http://answers.splunk.com/questions/7164/how-do-i-set-up-ssl-forwarding-with-new-self-signed-certifi...)

Everything seemed to be going well until I enabled "requireClientCert" in server.conf. Now the splunk web process (port 8000) is no longer able to talk to the management port (8089). I get a 503 error and "The splunkd daemon cannot be reached by splunkweb. Check that there are no blocked network ports or that splunkd is still running."

I used the createssl command to create a new server cert as well as new web certs against the new new ca.

Any help?

Tags (2)
Highlighted

Re: requireClientCert kills communication between splunkweb and splunkd

Splunk Employee
Splunk Employee

UPDATE : This should indeed be possible as of Splunk 4.3, as long as Splunkweb and splunkd are both using certificates provided by the same Root CA. Otherwise, Splunk Web will not be able to communicate with splunkd.

Note that communication between the CLI and splunkd will still be broken.

The following only applies to versions of Splunk prior to 4.3:

At this time, Splunk Web and the Splunk CLI are unable to perform mutual SSL authentication. There simply is no way to currently configure these components to present an SSL certificate when they talk to splunkd, which is why you observe this behavior.

This has been filed as a bug and will be resolved in a future release by allowing REST calls made by Splunk Web or the CLI to splunkd to use an SSL certificate.

If you were considering to use this setting to secure a deployment server co-located with a search head, a simple work-around in your case would be to spin-off a separate splunkd instance on the same machine but using a different splunkd port to act as the deployment server. Actually, this is one of the best practices we recommend for deployment server configuration simply because deployment server traffic occurs on splunkd's management port and can be disruptive to other traffic usually more important such as distributed search.

For more details, see this topic on the Splunk wiki.