Need some guidance on SplunkCloud Kiteworks integration. We are utilizing built-in UF of Kiteworks found on admin console and sending it directly to cloud. Did you use the forwarder app package and how did you it? I don't have access to the client's KW console. All I know is currently it is asking us to upload 4 certificate files for tls and not the forwarder package app. The Splunk Cloud and Splunk Enterprise toggle button as well is disabled which is weird. I believe on lower version there no option for that but we have.
Hi @Paaattt
Are you able to get the password from the UF App downloaded from Splunk Cloud, rather than from a running Splunk instance?
If you are trying to decrypt the value in a running instance, does it start $7? (If so you should be able to use the show-decrypted command - but remember to quote it so it doesnt try and resolve a variable starting $)
$SPLUNK_HOME/bin/splunk show-decrypted --value '<encrypted_value>'
Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards
Will
Hi @Paaattt
Are you using Splunk Cloud as your destination? If so you'll need to download the UF app download package which will contain your certificates, and if not you'll need to gather them from your Splunk Enterprise deployment (the location may depend on your setup).
Kiteworks requires separate files for the server certificate, intermediate certificate, root certificate, and private key for TLS setup. Typically for Splunk we combine these in a single PEM file, but Kiteworks needs them as distinct files.
Split out the certs/keys into individual certificates (server, intermediate, root) and the private key in separate files.
Verify that the certificates are in the correct format (PEM) and the private key is in RSA format
Once you have these files you should be able to upload these to KiteWorks which will then hopefully allow you to enable to output to Splunk.
Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards
Will
Hi Will,
Did you separate them just by a text editor. Or you did additional steps? (e.g passphrase to decrypt the pem file, ssl password if needed , etc)
Thanks,
Patrick
Hi @Paaattt
Ye the file is ultimately a text file so you can use any regular text editor to edit and copy the contents into new files.
Good point about the encrypted key, Does Kiteworks offer a field for SSL Password (which will be in your UF app). If not you will need to remove the encrpytion from the key before you add it to Kiteworks
Use something like this
openssl rsa -in encrypted_key.pem -out decrypted_key.pem
When you run this command, OpenSSL will prompt you to enter the current password for the private key. After you provide the correct password, it will output the decrypted private key to the specified output file.
Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards
Will
Hi @livehybrid ,
Thank you. So Kiteworks accepts the following
SSL certificate
SSL Password
Root Certificate
Intermediate Certificate
So yeah I can move them to separate pem file. My remaining problem is the SSL Password key. Splunk told me that the passphrase is located in $SPLUNK_HOME/etc/apps/100_**/local/outputs.conf.
[tcpout]
sslPassword = [value]
I decrypted the value using
$SPLUNK_HOME/bin/splunk show-decrypted --value '<encrypted_value>'
Unfortunately it is giving me this error
139750988822336:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:603:
139750988822336:error:0906A065:PEM routines:PEM_do_header:bad decrypt:crypto/pem/pem_lib.c:461:
A bad decrypt. What do you think did I miss? I am doubting the ssl password. But if this is the right step I need to try again and see how it goes.
Hi @Paaattt
Are you able to get the password from the UF App downloaded from Splunk Cloud, rather than from a running Splunk instance?
If you are trying to decrypt the value in a running instance, does it start $7? (If so you should be able to use the show-decrypted command - but remember to quote it so it doesnt try and resolve a variable starting $)
$SPLUNK_HOME/bin/splunk show-decrypted --value '<encrypted_value>'
Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards
Will
Hi @livehybrid ,
I just have another question. The certificate works and we are now doing the ingestion. Thank you for that. On the Admin guide. I have to do the following on Splunk Cloud:
1. Create Index
2. Enable receiver 9997
3. Enable TCP Inputs 514
We got a blocker on TCP Inputs. Ideally should be easy as like Settings > Data Inputs > Forwarded Inputs > TCP on the HF. But our approach is on Splunk Cloud (We don't use HF on this data even if we have for others. Project decided to have a saas to saas integration for KW). Now the prompt looks like this
"You currently don't have any forwarders installed. If you've recently installed a new forwarder, click the refresh button below to reload page."
Refreshing it does nothing.
While I understand this on an on-prem deployment perspective. I can't fully understand the project's approach. the Admin guide provided as well is not helpful. No troubleshooting part for Splunk Cloud.
How did you proceed on the ingestion piece?
Thanks @livehybrid . Looks like I am decrypting it wrong. Need to ad '' as prefix and suffix. All good now. Thank you!!!