Security

Enabled TLS on web, now I can't log into the site - LDAP issues

Hiattech
Explorer

To start with, I am very new to Splunk and I've been stumbling my way through this with varying degrees of success. 

We recently upgraded Splunk from 8.2 to 9.1.2. We noticed the new SSL requirements but went we have a self-signed cert but the website shows as not secure. We wanted to make sure everything was as secure as possible. We created an actual CA Cert chain and redirected the web.conf to the cert along with the key. I had issues with this at first because we weren't using a passphrase on the cert creation but we fixed that and it seems to accept it. Now the webpage seems to load, but it takes an incredibly long time. Once loaded, we should be able to login with LDAP. That's no longer working. I tried the local admin and it thinks for a while and then goes to a "Oops. The server encountered an unexpected condition which prevented it from fulfilling the request. Click here to return to Splunk homepage." page.  This is on the deploy server. 

I changed the server.conf to use the cert as well though that doesn't appear to make a difference. I checked the openldap.conf and added the cert to that but then the page wouldn't load anymore. (doing a splunk restart between each change).  I'm not sure which logs to even look at to find the problem. I have gone through the documentation to setup the TLS which we want to do for interserver communication and for the webpage. the forwarders aren't necessary right now. Can anyone give me a clue what I might be doing wrong?

EDIT: I did discover this error in the splunkd.log relating to my cert. Only post I've found so far says to combine the key and pem into a single file it can use.

message="error:0906D06C:PEM routines:PEM_read_bio:no start line

Here's my config files

server.conf

 

 

 

[general]
serverName = servername.com [changed for privacy reason]
pass4SymmKey =[redacted]

[sslConfig]
# turns on TLS certificate host name validation
sslVerifyServerName = true
serverCert = /opt/splunk/etc/auth/servername.com.pem
#sslPassword =[redacted]

#SSL No longer valid option
# sslPassword = [redacted]

# turns on TLS certificate host name validation
cliVerifyServerName = true
sslPassword = [redacted]
# Reference the file that contains all root certificate authority certificates combined together
sslRootCAPath = /opt/splunk/etc/auth/servername.com.pem
sslCommonNameList = servername.com, servername

[pythonSslClientConfig]
#sslVerifyServerCert = true
#sslVerifyServerName = true

[lmpool:auto_generated_pool_download-trial]
description = auto_generated_pool_download-trial
quota = MAX
slaves = *
stack_id = download-trial

[lmpool:auto_generated_pool_forwarder]
description = auto_generated_pool_forwarder
quota = MAX
slaves = *
stack_id = forwarder

[lmpool:auto_generated_pool_free]
description = auto_generated_pool_free
quota = MAX
slaves = *
stack_id = free

[lmpool:auto_generated_pool_enterprise]
description = auto_generated_pool_enterprise
quota = MAX
slaves = *
stack_id = enterprise

[license]
active_group = Enterprise

[kvstore]
storageEngineMigration = true

 

 

 

 

web.conf

 

 

 

[settings]
enableSplunkWebSSL = true
privKeyPath = /opt/splunk/etc/auth/myprivate.key
serverCert = /opt/splunk/etc/auth/servername.com.pem
sslPassword =[redacted]

 

 

 

 

authentication.conf

[authentication]
authSettings = ldapserver.com
authType = LDAP

[roleMap_ldapserver.com]
admin = SplunkAdmins

[ldapserver.com]
SSLEnabled = 1
anonymous_referrals = 1
bindDN = CN=ServiceAccount,CN=AccountFolder,DC=SubOrg,DC=Org,DC=com
bindDNpassword = [redacted]
charset = utf8
emailAttribute = mail
enableRangeRetrieval = 0
groupBaseDN = OU=Groups,OU=Users & Computers,OU=MainFolder,DC=SubOrg,DC=Org,DC=com
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = ldapserver.SubOrg.Org.Com
nestedGroups = 0
network_timeout = 20
pagelimit = -1
port = 636
realNameAttribute = displayname
sizelimit = 1000
timelimit = 15
userBaseDN = OU=Users,OU=Users & Computers,OU=MainFolder,DC=SubOrg,DC=Org,DC= com
userNameAttribute = samaccountname

 

ldap.conf

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

ssl start_tls
TLS_REQCERT demand
TLS_CACERT /opt/splunk/etc/auth/ldapserver.pem

# The following provides modern TLS configuration that guarantees forward-
# secrecy and efficiency. This configuration drops support for old operating
# systems (Windows Server 2008 R2 and earlier).
# To add support for Windows Server 2008 R2 set TLS_PROTOCOL_MIN to 3.1 and
# add these ciphers to TLS_CIPHER_SUITE:
# ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:
# ECDHE-RSA-AES128-SHA

# TLS_PROTOCOL_MIN: 3.1 for TLSv1.0, 3.2 for TLSv1.1, 3.3 for TLSv1.2.
TLS_PROTOCOL_MIN 3.3
TLS_CIPHER_SUITE ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256>

#TLS_CACERT absolute path to trusted certificate of LDAP server. For example /opt/splunk/etc/openldap/certs/mycertificate.pem
#TLS_CACERTDIR absolute path to directory that contains trusted certificates of LDAP server. For example /opt/splunk/etc/openldap/certs

 

Labels (3)
Tags (3)
0 Karma

Hiattech
Explorer

OK I managed to figure out a couple of my issues. 

The error: message="error:0906D06C:PEM routines:PEM_read_bio:no start line was as I discovered. I combined the key and the cert into a new file and it worked. 

LDAP is still an issue. I was able to disable it to fix our local admin password. Any time I enable TLS in LDAP though, I get errors:

ERROR ScopedLDAPConnection [1750367 TcpChannelThread] - strategy="ldapserver.com" Error binding to LDAP. reason="Can't contact LDAP server"
ERROR UiAuth [1750367 TcpChannelThread] - user=<username> action=login status=failure session= reason=user-initiated user

I tried both the LDAP cert and the combined cert I created. Not sure what I'm missing.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...