Splunk Search

Please help for ssl for splunkd - Splunk runs but cannot log in and is slow

net1993
Path Finder

Hello
I want to secure splunkd DS->clients with self-signed ssl cert but for some reason it doesn't work.

From splunk docs , I followed this:
https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/Securingyourdeploymentserverandclients
but the only info there is that you need to add config in server.conf and that there must be used the same CA cert as Web splunk
so I have created a new server cert from the same CA as the Web cert is and have the following configs:

server.conf
[sslConfig]
enableSplunkdSSL = true
sslVersions = *,-ssl2
serverCert = ServerCertificate2.pem
sslPassword = encryptedpass
sslRootCAPath = CACertificate.pem

web.conf
[settings]
enableSplunkWebSSL = true
privKeyPath = ServerPrivateKey1.key
serverCert = ServerPrivateKey1.pem

inputs.conf
[general]
serverCert = ServerCertificate3.pem
sslPassword = encryptedpass

If I start splunk with the above, splunk starts but it loads very very slow and No one can log in. The only thing I can see in the log is:
WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read finished A', alert_description='certificate unknown'.
But I noticed that the same warning comes even if I run the working server.conf:

If I change the server.conf so that it is using the same server cert as the inputs.conf , Splunk has no problems and works perfectly.
[sslConfig]
enableSplunkdSSL = true
sslVersions = *,-ssl2
serverCert = ServerCertificate3.pem
sslPassword = encryptedpass
sslRootCAPath = CACertificate.pem

So why I cannot use two different server.certs for splunkd and data encryption traffic?
Is there something I don't do correct and where I can find more info for splunk ssl in splunk docs?

Many thanks in advance

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi net1993,
at first, why do you used signed certificates Authentication between deployment servers and clients?
you can read at the page you indicated that's not recommended, because the configuration data pushed from the deployment server to client does not generally provide exploitable information!.
In addition, configuring certificate authentication for a deployment server and clients impacts the rest of your configuration as follows:

  • Splunk Web will fail to authenticate unless you also configure it to use the certificate,
  • The CLI will be not be able to communicate with the deployment server.

In addition Deployment Server and Deployment Clients are connected in https.

Then I think that Splunk cannot use two different certificates and there isn't a reason to do this.

Bye.
Giuseppe

0 Karma

net1993
Path Finder

Hello @gcusello

Thank you for response.
1. I have noticed that it is not recommended but it is requirement
Ok, I think then it is me who didn't quite catch the docs. So they are actually saying that authentication will fail in case there is not used the same server certificate.
Can you explain me what more about the second point with the CLI? CLI of which host will not be able to communicate with DS?

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...