Splunk Enterprise Security

ES Glass Table not loading after activating requireClientCert in sslConfig (SSLError)

tsmadi
Explorer

Hello,

I have a problem with Splunk ES Glass Tables not loading when setting the requireClientCert=true in sslConfig. Of course I have the complete SSL setup working fine with sslVersions=tls1.2 using certificates singed by own CA.

When trying to access the Glass Tables from ES menu, I get the following error message:

HTTPSConnectionPool(host='127.0.0.1', port=8089): Max retries exceeded with url: /servicesNS/nobody/SplunkEnterpriseSecuritySuite/storage/collections/config/SplunkEnterpriseSecuritySuite_glasstables (Caused by SSLError(SSLError(1, u'[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:742)'),))

p.s note: I have tried to add ssl3 to allowed list in sslVersions just to check if this is the problem but I end up with KVStore failure. However, this is not how I want to solve it.

Thank you for your interactivity and responses in advance 🙂

Regards

Labels (2)
0 Karma
1 Solution

tsmadi
Explorer

Hello, 

Sorry for taking so long to reply,  but Splunk support should have taken care of this issue long time ago!

 

As promised, the solution for this issue is to enable the client authentication to use the SSL certificates provided for inter-server communication (Splunk components within the server) because the server is forced to authenticate all communications when  requireClientCert=true.

To enable this go to 

/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/lib/SplunkEnterpriseSecuritySuite_app_common/solnlib/packages/requests/sessions.py

Edit the file and modify the following Python tuple:

self.cert = ("Path to CA", "Path to certificate")

Save the file and restart splunk. The glass Tables should work now with no problem. However, you might need to troubleshoot other inter-Splunk communications based on your environment.

 @youngsuh @swati_singh 

Let me know how it goes!

View solution in original post

tsmadi
Explorer

Hello, 

Sorry for taking so long to reply,  but Splunk support should have taken care of this issue long time ago!

 

As promised, the solution for this issue is to enable the client authentication to use the SSL certificates provided for inter-server communication (Splunk components within the server) because the server is forced to authenticate all communications when  requireClientCert=true.

To enable this go to 

/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/lib/SplunkEnterpriseSecuritySuite_app_common/solnlib/packages/requests/sessions.py

Edit the file and modify the following Python tuple:

self.cert = ("Path to CA", "Path to certificate")

Save the file and restart splunk. The glass Tables should work now with no problem. However, you might need to troubleshoot other inter-Splunk communications based on your environment.

 @youngsuh @swati_singh 

Let me know how it goes!

swati_singh
Engager

Hi, did you manage to solve this issue? I am getting the same issue in another app.

0 Karma

tsmadi
Explorer

Hello,

Yes, I did solve it.

After Splunk support failing to solve it, I had to act on my own.

I solved it and Splunk support asked me to show them the solution and after they saw it, they were supposed to modify it and register a bug on my name but unfortunately they didn't. 

If you are still having this problem let me know and I will post the solution.

 

Regards 

0 Karma

youngsuh
Contributor

Yes.  I am having an issue.  Please post the solution.

Tags (2)
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...