Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

ES Glass Table not loading after activating requireClientCert in sslConfig (SSLError)

tsmadi
Explorer
‎05-06-2020 02:00 PM

Hello,

I have a problem with Splunk ES Glass Tables not loading when setting the requireClientCert=true in sslConfig. Of course I have the complete SSL setup working fine with sslVersions=tls1.2 using certificates singed by own CA.

When trying to access the Glass Tables from ES menu, I get the following error message:

HTTPSConnectionPool(host='127.0.0.1', port=8089): Max retries exceeded with url: /servicesNS/nobody/SplunkEnterpriseSecuritySuite/storage/collections/config/SplunkEnterpriseSecuritySuite_glasstables (Caused by SSLError(SSLError(1, u'[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:742)'),))

p.s note: I have tried to add ssl3 to allowed list in sslVersions just to check if this is the problem but I end up with KVStore failure. However, this is not how I want to solve it.

Thank you for your interactivity and responses in advance 🙂

Regards

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tsmadi
Explorer
‎03-10-2021 02:42 AM

Hello, 

Sorry for taking so long to reply,  but Splunk support should have taken care of this issue long time ago!

 

As promised, the solution for this issue is to enable the client authentication to use the SSL certificates provided for inter-server communication (Splunk components within the server) because the server is forced to authenticate all communications when  requireClientCert=true.

To enable this go to 

/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/lib/SplunkEnterpriseSecuritySuite_app_common/solnlib/packages/requests/sessions.py

Edit the file and modify the following Python tuple:

self.cert = ("Path to CA", "Path to certificate")

Save the file and restart splunk. The glass Tables should work now with no problem. However, you might need to troubleshoot other inter-Splunk communications based on your environment.

 @youngsuh @swati_singh 

Let me know how it goes!

View solution in original post

Reply
Solved! Jump to solution
Solution

tsmadi
Explorer
‎03-10-2021 02:42 AM

Hello, 

Sorry for taking so long to reply,  but Splunk support should have taken care of this issue long time ago!

 

As promised, the solution for this issue is to enable the client authentication to use the SSL certificates provided for inter-server communication (Splunk components within the server) because the server is forced to authenticate all communications when  requireClientCert=true.

To enable this go to 

/opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/lib/SplunkEnterpriseSecuritySuite_app_common/solnlib/packages/requests/sessions.py

Edit the file and modify the following Python tuple:

self.cert = ("Path to CA", "Path to certificate")

Save the file and restart splunk. The glass Tables should work now with no problem. However, you might need to troubleshoot other inter-Splunk communications based on your environment.

 @youngsuh @swati_singh 

Let me know how it goes!

Reply
Solved! Jump to solution

swati_singh
Engager
‎08-11-2020 12:32 AM

Hi, did you manage to solve this issue? I am getting the same issue in another app.

0 Karma
Reply
Solved! Jump to solution

tsmadi
Explorer
‎03-06-2021 04:36 AM

Hello,

Yes, I did solve it.

After Splunk support failing to solve it, I had to act on my own.

I solved it and Splunk support asked me to show them the solution and after they saw it, they were supposed to modify it and register a bug on my name but unfortunately they didn't. 

If you are still having this problem let me know and I will post the solution.

 

Regards 

0 Karma
Reply
Solved! Jump to solution

youngsuh
Contributor
‎03-08-2021 12:52 PM

Yes.  I am having an issue.  Please post the solution.

Tags (2)
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...