Hi! I have worked for a while to make Splunk use TLS and PKI as much as possible. At present the system contains of version 8.0.1 components only. I have managed to get Splunk Indexer to require client certificate from the UFs, and it seems to work. The Splunk serverCert is in a file containing the certificate, private key, issuer certificate and the root-CA certificate (the issuer of the issuer certificate). The trusted root-CA -certificates are in a separate text file. For this connection requiring requireClientCert = true works fine. With the web-UI things are not going as elegantly. My web.conf looks like this: [settings] enableSplunkWebSSL = 1 privKeyPath = etc/auth/splunkweb/splunk.pki.key serverCert = etc/auth/splunkweb/splunk.pki.txt requireClientCert = false sslVersions = tls1.2 loginBackgroundImageOption = none login_content = This is a <b>Test installation</b>. With the above, things are just fine. Changing requireClientCert to true breaks everything and the webGUI is not started. The splunkd.log gets populated with lines like: 03-09-2020 12:45:04.223 +0200 ERROR X509Verify - X509 certificate (CN=Root CA,O=X,C=Y) failed validation; error=19, reason="self signed certificate in certificate chain" I get exactly the same error message, if I connect using openSSL to the indexer port, where UFs connect: openssl s_client -connect splunk:9998 -state -prexit * Certificate chain 0 s:/C=Y/O=X/CN=Test Splunk Indexer i:/C=Y/O=X/CN=TestCA-1 1 s:/C=Y/O=X/CN=TestCA-1 i:/C=Y/O=X/CN=Root CA 2 s:/C=Y/O=X/CN=Root CA i:/C=Y/O=X/CN=Root CA * SSL-Session: Protocol : TLSv1.2 * Verify return code: 19 (self signed certificate in certificate chain) My point here is that the connection between UF and indexer still works fine. The question is: Is requireClientCertificate simply not supported in the web-GUI, or is there something in the documentation I have not understood correctly? If it is possible to require a certificate from the client (i.e. a web browser), is there a way to define the trusted CA-certificates and should any intermediate CA certifictes be included as well? Another thing I have been wondering about is certificate validation and CRLs. Is there a way to make Splunk actually validate the certificates it is presented? Best regards, Petri ... View more

Hi, I am trying to establish an SSL/TLS-connection with own certificates between the UFs and the indexer. I would also like to enable non-SSL connection for some UFs, but so far I haven't been able to have the indexer set up an SSL/TLS-listener. When everything is ready and done, I might be happy with a purely SSL/TLS-based environment, but for the transition period enabling both would be nice. I have tried to follow the instructions on page https://docs.splunk.com/Documentation/Splunk/8.0.1/Security/ConfigureSplunkforwardingtousesignedcertificates So far I have worked with the indexer. In ~splunk/etc/system/local/inputs.conf I have added the following: [SSL] serverCert = /opt/splunk/etc/auth/my-CA/IndexerCerts.txt # sslPassword = This was supposedly unnecessary sslRootCAPath = /opt/splunk/etc/auth/my-CA/myCACertificates.txt requireClientCert = false sslVersions = tls1.2 Also, I added to the ~splunk/etc/system/local/server.conf the following line sslRootCAPath = /opt/splunk/etc/auth/my-CA/myCACertificates.txt The file myCACertificates.txt contains as PEM the issuing CA for the IndexerCert and the RootCA on top of that and in this order. Effectively this is a trust store containing the SubCA and Root CA above the indexers certificates. I don't see any reason why any other similar SubCA and RootCA chain could not be included if a client certificate issued by those would be needed, but let's leave that for now. The file IndexerCerts.txt contains the following items AS PEM in order: Indexer certificate Indexer private key (unencrypted) Issuing SubCA certificate RootCA certificate The reason for the private key for being unencrypted is that the documentation I found let me understand it would not be needed or even not necessary. The password would still need to be available somewhere, but upon restart splunkd didn't complain about the configuration. Nevertheless, the connections remained as plain-text connections. The log says the following: 12-23-2019 17:25:34.062 +0200 INFO loader - Setting SSL configuration. 12-23-2019 17:25:34.062 +0200 INFO loader - Server supporting SSL versions TLS1.2 12-23-2019 17:25:34.062 +0200 INFO loader - Using cipher suite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256 12-23-2019 17:25:34.062 +0200 INFO loader - Using ECDH curves : prime256v1, secp384r1, secp521r1 ... 12-23-2019 17:25:35.923 +0200 INFO TcpInputProc - Registering metrics callback for: tcpin_connections 12-23-2019 17:25:35.923 +0200 INFO TcpInputConfig - IPv4 port 9997 is reserved for splunk 2 splunk 12-23-2019 17:25:35.923 +0200 INFO TcpInputConfig - IPv4 port 9997 will negotiate s2s protocol level 6 12-23-2019 17:25:35.924 +0200 INFO TcpInputProc - Creating fwd data Acceptor for IPv4 port 9997 with Non-SSL Any suggestions what I am doing wrong? ... View more