Interesting! I will reach out to education and see what is going on. ... View more

Hi there, I write the docs for the securing spunk manual. I wanted to pop in to say that the community article you are looking at is not really correct for version 6.4 or later. https://docs.splunk.com/Documentation/Splunk/7.0.1/Security/ConfigureSplunkforwardingtousesignedcertificates#Configure_your_forwarders_to_use_your_certificates is definitely the most up to date topic. And feel free to review that topic as well, I'm always looking for ways to improve the docs! Cheers, Jennifer ... View more

The port should default to 9997. Is there any chance that port is already in use? If so Splunk would use another port. You could also try manually setting the ports to something that works for you. This topic offers some guidelines for s configuring your spec file attributes: http://docs.splunk.com/Documentation/Splunk/Security/ConfigureSplunkforwardingtousesignedcertificates. ... View more

The second link i posted should really be the helpful one. The first one is a link to the docs, which may not be specific enough (but might be a good place to start exploring if you want to build and install your own certificates). But the second link has the security advisory with good links and some scripts. I've posted it below. If that does not help, let me know and I'll do a little more digging. it's definitely a known issue. PRODUCT ADVISORY: Pre 6.3, Splunk Enterprise, Splunk Light and HUNK default root certificates expire on July 21, 2016. <br/>(Updated: May 19, 2016) SUMMARY Instances of Splunk Enterprise, Splunk Light and HUNK that are older than 6.3 AND that are using the default certificates will no longer be able to communicate with each other after July 21, 2016 unless the certificates are replaced OR Splunk is upgraded to 6.3 or later. Please note that for all Splunk Enterprise versions, the default root certificate that ships with Splunk is the same root certificate in every download. That means that anyone who has downloaded Splunk has server certificates that have been signed by the same root certificate and would be able to authenticate to your certificates. To ensure that no one can easily snoop on your traffic or wrongfully send data to your indexers, we strongly recommend that you replace them with certificates signed by a reputable 3rd-party certificate authority. IMPACT Failure to replace expired certificates prior to this will result in the immediate cessation of network traffic for any connection which uses them. Expiration of Splunk certificates does not affect: 1) Splunk instances that are in Splunk Cloud SSL certificates used for Splunk Cloud instances are not the default Splunk certificates<br/> Forwarder to Splunk Cloud traffic is not impacted, however, relay forwarders (forwarder to forwarder) can be impacted if you chose to use default Splunk certificates for this communication 2) Splunk instances that use certificates that are internally generated (self-signed) or obtained from an external Certificate Authority (CA). 3) Splunk instances in your configuration that are upgraded to 6.3 or above and use that version’s root certificates. 4) Splunk instances that do NOT use SSL - (This is the default configuration for forwarder to indexer communication) Certificate expiration DOES affect Splunk deployments where: Any or all Splunk instances in your deployment run a release prior to 6.3 and use Splunk default certificates. This includes Search Heads<br/> Indexers<br/> License Masters<br/> Cluster Masters<br/> Deployers<br/> Forwarders <br/> RECOMMENDATIONS There are several options that you can take to resolve certificate expiration. You must take action prior to July 21, 2016. 1) Remain at your current Splunk version (pre- 6.3) and manually upgrade the current default root certificates with the provided shell script that is appropriate for your operating system. Note that the shell script only replaces the current default root certificate with a new (cloned) certificate with a future expiration date. The script does not replace a Splunk default certificate with your own certificate. The script is available at: http://download.splunk.com/products/certificates/renewcerts-2016-05-05.zip Update: minor script changes to update messages and remove redirect of stderr to /dev/null when checking OpenSSL version Please be sure to read the README.txt included in the zip file before running the script. 2) Upgrade all Splunk instances in your environment to 6.3 or above and use self-signed or CA-signed certificate. We strongly recommend this as the most secure option. Replace current default root certificates with your own certificates. Download the following document to learn about hardening your Splunk infrastructure: Splunk Security: Hardening Standards 3) Remain at your current Splunk version (pre- 6.3) and use self-signed or CA-signed certificate. Replace current default root certificates with your own certificates. Download the following document to learn about hardening your Splunk infrastructure. Splunk Security: Hardening Standards 4) Upgrade ALL Splunk instances to 6.3 or above and use those default root certificates. Note: Prior to the upgrade, if in use please remove the existing Splunk default certificate copies of ca.pem and cacert.pem Refer to: Upgrading my Splunk Enterprise 6.2.x to 6.3.x did not upgrade the expiration dates on my default SSL certs, why? ... View more

the 6.4.0 version of the docs has some renamed SSL attributes, so if you are still running 6.2, make sure to use that version of the manual, so: http://docs.splunk.com/Documentation/Splunk/6.2.0/Security/Howtoself-signcertificates Also, we wrote a Product Advisory specific to this issue for pre-6.3 versions of Splunk, you can find it in this Answers post along with some other possibly helpful bits of information: https://answers.splunk.com/answers/395886/for-splunk-enterprise-splunk-light-and-hunk-pre-63.html Hope that helps! ... View more

I think this topic in the Splunk documentation should help you with your problem: http://docs.splunk.com/Documentation/Splunk/6.6.1/Security/BestpracticeforremovinganLDAPuser ... View more

Doh, I'm sorry, you are right. For CA-signed certificates you do need the chain. They need to be in the following order: [ server certificate] [ intermediate certificate] [ root certificate (if required) ] so maybe the issue is the order in the chain? I am thinking that if you have "chain.pem : CA Root + intermediary fullchain.pem: I made it as mycert.pem + chain.pem" Then I think this should give you an end result of [ server certificate] [ root certificate (if required) ] [ intermediate certificate] So you might try troubleshooting by changing that order to the first example see if it helps. It seems odd that your certs would check out okay but not work, but SplunkWeb cert configs can be surprisingly touchy. (Oh, and also make sure you are using the version of OpenSSL provided with Splunk!) Hope this is a little more helpful. Cheers, jen ... View more

Are you configuring this on 6.5 or later? The attributes for earlier versions are slightly different, so if you are by any chance working in an earlier version, the attributes above will not work. For serverCert, I would change the value to your mycert.pem file. ... View more

We don't have a specific topic dedicated to this question in the docs right now, but the following topic might help answer your question about where to set the server.conf stanza: http://docs.splunk.com/Documentation/Splunk/6.5.0/Security/Securingyourdeploymentserverandclients [settings] enableSplunkWebSSL = true privKeyPath = etc/auth/splunkweb/mySplunkWebPrivateKey.key serverCert = etc/auth/splunkweb/mySplunkWebCertificate.pem cipherSuite = You might also find the server.conf topic helpful: http://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Serverconf SSL Configuration details [sslConfig] * Set SSL for communications on Splunk back-end under this stanza name. * NOTE: To set SSL (eg HTTPS) for Splunk Web and the browser, use web.conf. * Follow this stanza name with any number of the following attribute/value pairs. * If you do not specify an entry for each attribute, Splunk will use the default value. enableSplunkdSSL = * Enables/disables SSL on the splunkd management port (8089) and KV store port (8191). * Defaults to true. * Note: Running splunkd without SSL is not generally recommended. * Distributed search will often perform better with SSL enabled. ... View more

Same product, new name! There is one difference: Hunk Archive functionality is now integrated into Splunk Enterprise as "Hadoop Data Roll". But once you install your Splunk Analytics for Hadoop license, the experience will be pretty much the same as when it was called "Hunk". Except more seamless. ... View more

Dwaddle's talk is amazing, I recommend it highly. We also have a topic here that talks about using signed certificates in your indexer to forwarder configuration: http://docs.splunk.com/Documentation/Splunk/6.4.3/Security/ConfigureSplunkforwardingtousesignedcertificates Hope that helps! jen ... View more

Hi there, This is more of an app issues, I think, than a SHC issue. Passwords do not currently get hashed in app directories. So we recommend that you create a different cert (with the same CA) so as not to expose the SSL password you use elsewhere. We talk about this issue (and workaround) a bit in this topic: http://docs.splunk.com/Documentation/Splunk/6.1.9/Security/ConfigureSplunkforwardingtousesignedcertificates Specifically: Warning: If you configure inputs.conf or outputs.conf in an app directory, the password is NOT encrypted and the clear-text value remains in the file. For this reason, you may prefer to create different certificates (signed by the same root CA) to use when configuring SSL in app directories. Hope that helps. ... View more

You might also check out the official docs here: http://docs.splunk.com/Documentation/Splunk/latest/Security/AboutsecuringyourSplunkconfigurationwithSSL ... View more

Great, look forward to hearing back about how things go. I'm the writer for the topics so please let me know if you find something that is not helpful or something that you think might improve the docs! ... View more

It's a good best practice to configure them the same way, I would think. And the the server.pem or saml.pem DEFNITELY need to be same on all the Search heads in a SHC set up so that they can communicate. ... View more

You might be missing an attribute. And if that doesn't work, you might try setting SSOMode=strict. Also make sure you have the trusted IP listed in server.conf. Here's a code sample for web.conf from the Security Manual: SSOMode = strict trustedIP = 127.0.0.1,10.3.1.61,10.1.8.81 remoteUser = X-Remote-User tools.proxy.on = True The following topic in the Securing Splunk manual might be helpful: http://docs.splunk.com/Documentation/Splunk/6.2.4/Security/ConfigureSplunkSSO Hope this helps! ... View more

If you made a change on a forwarder, then restarting just the forwarder should be enough to update the configuration. The main point of restarting is just to get your edits to be recognized and added to the configuration. ... View more

To the best of my knowledge, you must reinstall. I'm not aware of anyone else having success otherwise, so it remains our best practice for the moment. I'm glad you were able to get it up and running successfully! For purposes of improving the docs, I'll definitely investigate some of the information you've provided. Glad it worked, thanks for letting us know! ... View more