Splunk Search

Why am I getting error "No appropriate protocol (protocol is disabled or cipher suites are inappropriate)" running a search through the Splunk Java SDK?

maximus_reborn
Path Finder

I am getting the following error when I am running a search through the Splunk Java SDK:

java.lang.RuntimeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

I am using splunk-sdk-java-1.5.0 and ran the command:

java -jar dist/examples/search.jar "sourcetype=SplunkRabbitMQ_messaging | spath input=msg_body | where '3' > 0" --output_mode=csv
Tags (4)
0 Karma

GregZillgitt
Path Finder

I had the same issue with the Splunk Java SDK 1.5 and Java8. Adding the following line before the connect() fixed it:

HttpService.setSslSecurityProtocol(SSLSecurityProtocol.TLSv1_2);

gesangbaer
Engager

While trying to solve this issue I found all sorts of stuff about swapping java versions and performing custom builds of the SDK. This was the solution that worked for me. Thank you Greg!

0 Karma

shaskell_splunk
Splunk Employee
Splunk Employee

maximus_reborn
Path Finder

Hi shaskell,
Thanks I went through but I am getting the following error now.
I am using SDK 1.5.0 and JRE7.
Do you know how to resolve it? I have changed https to http in .splunkrc file.

java.lang.RuntimeException: Connection reset
at com.splunk.HttpService.send(HttpService.java:427)
at com.splunk.Service.send(Service.java:1293)
at com.splunk.HttpService.post(HttpService.java:308)
at com.splunk.Service.login(Service.java:1122)
at com.splunk.Service.login(Service.java:1101)
at com.splunk.Service.connect(Service.java:187)
at com.splunk.examples.search.Program.run(Unknown Source)
at com.splunk.examples.search.Program.main(Unknown Source)
Caused by: java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(SocketInputStream.java:196)
at java.net.SocketInputStream.read(SocketInputStream.java:122)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:235)
at java.io.BufferedInputStream.read1(BufferedInputStream.java:275)
at java.io.BufferedInputStream.read(BufferedInputStream.java:334)
at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:690)
at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:633)
at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:661)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1324)
at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:468)
at com.splunk.HttpService.send(HttpService.java:425)
... 7 more
0 Karma

shaskell_splunk
Splunk Employee
Splunk Employee

You'll want to change the scheme back to https in your .splunkrc.

If you're using Oracle JDK try commenting out the following line from your java.security file.

#jdk.tls.disabledAlgorithms=SSLv3

I'm running CentOS 7 and modifying this line from /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.101-2.6.6.1.el7_2.x86_64/jre/lib/security/java.security on the default OpenJDK install worked for me.

From:
jdk.tls.disabledAlgorithms=SSLv3, MD5withRSA, DH keySize < 768

To:
jdk.tls.disabledAlgorithms=MD5withRSA, DH keySize < 768

The SDK uses SSLv3 by default which is disabled in the security settings.

maximus_reborn
Path Finder

Also, sourcetype=SplunkRabbitMQ_messaging | spath input=msg_body | where '3' > 0 is not working though it did in Web.

For example:
(Not working)

java -jar dist/examples/search_oneshot.jar "sourcetype=SplunkRabbitMQ_messaging | spath input=msg_body | where '3' > 0" --output_mode=json

(Working)

java -jar dist/examples/search_oneshot.jar "search * |  tail 10" --output_mode=json

Is there any way to use sourcetype in CLI? I am getting Unknown search command 'sourcetype'. It worked in Splunk Web.

Update: By putting 'search' ahead of the command, it worked.

0 Karma

maximus_reborn
Path Finder

Actually, when i am using https and did enableSplunkdSSL = true, it did not work but when i did http and did enableSplunkdSSL = false it worked. I commented the required line in java.security also.
I know it's not recommended but do you have any workaround?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...