Splunk Cloud Platform
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

SplunkCloud Kiteworks integration

Paaattt
Explorer
‎03-07-2025 12:35 AM

Need some guidance on SplunkCloud Kiteworks integration. We are utilizing built-in UF of Kiteworks found on admin console and sending it directly to cloud. Did you use the forwarder app package and how did you it? I don't have access to the client's KW console. All I know is currently it is asking us to upload 4 certificate files for tls and not the forwarder package app. The Splunk Cloud and Splunk Enterprise toggle button as well is disabled which is weird. I believe on lower version there no option for that but we have.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎03-09-2025 12:15 AM

Hi @Paaattt 

Are you able to get the password from the UF App downloaded from Splunk Cloud, rather than from a running Splunk instance? 

If you are trying to decrypt the value in a running instance, does it start $7? (If so you should be able to use the show-decrypted command - but remember to quote it so it doesnt try and resolve a variable starting $)

$SPLUNK_HOME/bin/splunk show-decrypted --value '<encrypted_value>'

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

 

View solution in original post

Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
‎03-07-2025 04:38 AM

Hi @Paaattt 

Are you using Splunk Cloud as your destination? If so you'll need to download the UF app download package which will contain your certificates, and if not you'll need to gather them from your Splunk Enterprise deployment (the location may depend on your setup).

Kiteworks requires separate files for the server certificate, intermediate certificate, root certificate, and private key for TLS setup. Typically for Splunk we combine these in a single PEM file, but Kiteworks needs them as distinct files.

  • Obtain your Splunk PEM certs, this would be inside the UF forwarder app if you're using Splunk Cloud.

  • Split out the certs/keys into individual certificates (server, intermediate, root) and the private key in separate files.

  • Verify that the certificates are in the correct format (PEM) and the private key is in RSA format

Once you have these files you should be able to upload these to KiteWorks which will then hopefully allow you to enable to output to Splunk.

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Reply
Solved! Jump to solution

Paaattt
Explorer
‎03-07-2025 08:26 AM

Hi Will,

Did you separate them just by a text editor. Or you did additional steps? (e.g passphrase to decrypt the pem file, ssl password if needed , etc)

 

Thanks,

Patrick

0 Karma
Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
‎03-07-2025 09:34 AM

Hi @Paaattt 

Ye the file is ultimately a text file so you can use any regular text editor to edit and copy the contents into new files.

Good point about the encrypted key, Does Kiteworks offer a field for SSL Password (which will be in your UF app). If not you will need to remove the encrpytion from the key before you add it to Kiteworks

Use something like this

openssl rsa -in encrypted_key.pem -out decrypted_key.pem

When you run this command, OpenSSL will prompt you to enter the current password for the private key. After you provide the correct password, it will output the decrypted private key to the specified output file.

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Reply
Solved! Jump to solution

Paaattt
Explorer
‎03-08-2025 08:13 AM

Hi @livehybrid ,

 

Thank you. So Kiteworks accepts the following

SSL certificate
SSL Password
Root Certificate
Intermediate Certificate

So yeah I can move them to separate pem file. My remaining problem is the SSL Password key. Splunk told me that the passphrase is located in $SPLUNK_HOME/etc/apps/100_**/local/outputs.conf.
[tcpout]
sslPassword = [value]

I decrypted the value using 
$SPLUNK_HOME/bin/splunk show-decrypted --value '<encrypted_value>'

Unfortunately it is giving me this error
139750988822336:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:603:
139750988822336:error:0906A065:PEM routines:PEM_do_header:bad decrypt:crypto/pem/pem_lib.c:461:

A bad decrypt. What do you think did I miss? I am doubting the ssl password. But if this is the right step I need to try again and see how it goes.

0 Karma
Reply
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎03-09-2025 12:15 AM

Hi @Paaattt 

Are you able to get the password from the UF App downloaded from Splunk Cloud, rather than from a running Splunk instance? 

If you are trying to decrypt the value in a running instance, does it start $7? (If so you should be able to use the show-decrypted command - but remember to quote it so it doesnt try and resolve a variable starting $)

$SPLUNK_HOME/bin/splunk show-decrypted --value '<encrypted_value>'

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

 

Reply
Solved! Jump to solution

Paaattt
Explorer
‎03-09-2025 08:17 PM

Hi @livehybrid ,

I just have another question. The certificate works and we are now doing the ingestion. Thank you for that. On the Admin guide. I have to do the following on Splunk Cloud:

1. Create Index
2. Enable receiver 9997
3. Enable TCP Inputs 514

We got a blocker on TCP Inputs. Ideally should be easy as like Settings > Data Inputs > Forwarded Inputs > TCP on the HF. But our approach is on Splunk Cloud (We don't use HF on this data even if we have for others. Project decided to have a saas to saas integration for KW). Now the prompt looks like this 

"You currently don't have any forwarders installed. If you've recently installed a new forwarder, click the refresh button below to reload page."

Refreshing it does nothing.
While I understand this on an on-prem deployment perspective. I can't fully understand the project's approach. the Admin guide provided as well is not helpful. No troubleshooting part for Splunk Cloud.

How did you proceed on the ingestion piece?

0 Karma
Reply
Solved! Jump to solution

Paaattt
Explorer
‎03-09-2025 12:40 AM

Thanks @livehybrid . Looks like I am decrypting it wrong. Need to ad '' as prefix and suffix. All good now. Thank you!!!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...