So, I thought the same, however I can't seem to pass that variable within the context of splunk cmd.
OPENSSL_FIPS=1 openssl works fine.
$SPLUNK_HOME/bin/splunk cmd OPENSSL_FIPS=1 openssl returns
couldn't run "/opt/splunk/bin/OPENSSL_FIPS=1": No such file or directory
Perhaps there's some sort of syntactical fix/workaround for that in Splunk that I'm not aware of.
... View more
Attempting to install local/self-signed certs (Splunk Indexer houses Root CA with a cert distributed to all forwarders), and receiving the following error, ostensibly FIPS-related:
ERROR SSLCommon - Can't read key file /opt/splunkforwarder/etc/auth/mycerts/forwarderchain.pem errno=101351587 error:060A80A3:digital envelope routines:FIPS_DIGESTINIT:disabled for fips.
This is on a Splunk Forwarder with FIPS enabled (all installations will be on Linux FIPS-kernel systems), using Splunk's inboard OpenSSL (1.0.2p-fips; and even if this had failed the latent installation instance is 1.0.2k-fips), and using ciphers that should be validated to generate the keys (-aes256 on key generation, -sha512 for final pem).
Is there some inherent compatibility issue that I'm missing that prevents this setup while in FIPS mode? Has anyone run across a similar error when working through the Splunk documentation for cert generation? I've essentially followed the following pages step for step:
I've seen some references about needing to set OPENSSL_FIPS=1 for the OpenSSL instance, but can't tell if that's a change to the openssl.cnf file in /opt/splunkforwarder/openssl/openssl.conf, a general environment setting, or if it's even needed given I have the FIPS OpenSSL package to begin with.
... View more