Splunk Dev

multiple problems using Splunk java sdk 1.1.0 in weblogic 3.5.0

preben12
Communicator

Hi

I want to test publishing events to Splunk from a webapp deployed on our Weblogic app server, but are running into several problems using the SDK.
First error using plain sdk:
Caused By: java.lang.IllegalArgumentException: value is null
at weblogic.net.http.HttpURLConnection.setRequestProperty(HttpURLConnection.java:776)
at com.splunk.HttpService.send(HttpService.java:293)
at com.splunk.Service.send(Service.java:1211)
at com.splunk.HttpService.post(HttpService.java:212)
at com.splunk.Service.login(Service.java:1044)
Truncated. see log file for complete stacktrace

After fixing the HttpService to include null check and generating a client cert from the splunk server -> importing it into Weblogics truststore the next error surfaces.

Caused By: java.lang.RuntimeException: [Security:090504]Certificate chain received from bamtst01 - 10.101.17.63 failed hostname verification check. Certificate contained SplunkServerDefaultCert but check expected bamtst01
at com.splunk.HttpService.send(HttpService.java:365)
at com.splunk.Service.send(Service.java:1211)
at com.splunk.HttpService.post(HttpService.java:239)
at com.splunk.Service.login(Service.java:1044)
at com.splunk.Service.login(Service.java:1024)
Truncated. see log file for complete stacktrace
Caused By: javax.net.ssl.SSLKeyException: [Security:090504]Certificate chain received from bamtst01 - 10.101.17.63 failed hostname verification check. Certificate contained SplunkServerDefaultCert but check expected bamtst01
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertSent(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
Truncated. see log file for complete stacktrace

I have to turn hostname verification off in Weblogic 😞 to get further.

Next error is ->
Caused By: javax.xml.stream.XMLStreamException: next() may not be called when XMLStreamReader is at END_DOCUMENT
at weblogic.xml.stax.XMLStreamReaderBase.next(XMLStreamReaderBase.java:234)
at com.splunk.AtomObject.scan(AtomObject.java:193)
at com.splunk.AtomObject.load(AtomObject.java:128)
at com.splunk.AtomFeed.parse(AtomFeed.java:80)
at com.splunk.AtomFeed.parseStream(AtomFeed.java:59)
Truncated. see log file for complete stacktrace

That how far i got.
Seems to be some kind of Stax class loading issue. ???????

I saw a similar issue described at http://splunk-base.splunk.com/answers/68748/error-when-run-java-sdk-next-may-not-be-called-when-xmls.... Any solution for this ??

From looking at the sdk it seems to me that the client sdk should support client certificates to establish a trusted SSL connection out of the box. I'm not sure the trustAll truststore setup is recommended for production use.

Secondary is it possible to use pure http to connect to a splunk server if you don't need ssl, and if so on wich port can you connect ?

btw. I have created a support case of this CASE 117183.

Best Regards
Preben

Tags (2)
0 Karma

preben12
Communicator

Hi Kelvin

Afair I used the json parser instead to bypass wls xml libs in classpath. You can see some of the code here https://github.com/apache/camel/blob/master/components/camel-splunk/src/main/java/org/apache/camel/c...
where the json reader is used.

0 Karma

lsmkelvin
New Member

Thanks Preben12.

I got this exception same as you, how you fix it?
Caused By: javax.xml.stream.XMLStreamException: next() may not be called when XMLStreamReader is at END_DOCUMENT
at weblogic.xml.stax.XMLStreamReaderBase.next(XMLStreamReaderBase.java:234)
at com.splunk.AtomObject.scan(AtomObject.java:193)
at com.splunk.AtomObject.load(AtomObject.java:128)
at com.splunk.AtomFeed.parse(AtomFeed.java:80)
at com.splunk.AtomFeed.parseStream(AtomFeed.java:59)
Truncated. see log file for complete stacktrace

Thanks
Kelvin

0 Karma

preben12
Communicator

yeah - was fixed in the splunk sdk afair

0 Karma

lsmkelvin
New Member

Hi Preben,

How you fix the below problem?

Caused By: java.lang.IllegalArgumentException: value is null
at weblogic.net.http.HttpURLConnection.setRequestProperty(HttpURLConnection.java:776)
at com.splunk.HttpService.send(HttpService.java:293)
at com.splunk.Service.send(Service.java:1211)
at com.splunk.HttpService.post(HttpService.java:212)
at com.splunk.Service.login(Service.java:1044)
Truncated. see log file for complete stacktrace

Best regards,
Kelvin

0 Karma

preben12
Communicator

Yeah - I have upgraded to 5.0.3 and it resolved the reader issue

0 Karma

preben12
Communicator

An update so far.
I made it work login and posting of events with a small patch in the Splunk jdk. See patch https://github.com/splunk/splunk-sdk-java/pull/45. The main fix forces the use of Suns https Handler.
I still got some issues reading events from Splunk when running in weblogic and using Xml streams. I'll get back with details when i'm back at work and have a running Weblogic.

I thought I could bypass that using ResultsReaderJson instead of ResultsReaderXml, by changing the output mode and changing the reader to ResultReaderJson. But the Json reader bloks on getNextEvent compared to the xml reader when there is no data to read from the stream (0 events) resulting in a not responding thread.
I could possible work around that by checking on the event count and only read if the count > 0, but that not doable in realtime mode I guess since count is not known on beforehand.

alexniranjan
New Member

I am on Splunk Enterprise 6.5 and Splunk JDK 1.6. I am still facing this issue while creating the connection. This URL is not accessible anymore - https://github.com/splunk/splunk-sdk-java/pull/45.

Do you have a workaround or another location for this fix?

0 Karma

andras_kerekes
Explorer

What I did in this case is that used InputStream.mark() and reset() to peek into the result stream to see if it has no results. But it seems that in Splunk 5.0.3 the returned String will not put the ResultReaderJson into infinite loop, if you can upgrade this will solve it.

0 Karma

preben12
Communicator

Hi Damien
Yeah turning on -DUseSunHttpHandler=true will make it work. The only thing that is a bit worrying is that this is a global option that will affect everything running on the platform. Chances are that i might cause side effects on running apps. Thats why i wanna try to avoid it.
On another project I have code wise forced weblogic to use sun's https handler when constructing the URL while importing the full package+class - This works on Weblogic
Code sample :
// force Weblogic to use suns https handler.
new URL(protocol, host, port, path, new sun.net.www.protocol.https.Handler());

0 Karma

Damien_Dallimor
Ultra Champion

Try out these JVM startup params and see if this lets you create a simple https connection.

http://weblogic-wonders.com/weblogic/2010/11/09/enforce-weblogic-to-use-sun-ssl-implementation-rathe...

0 Karma

preben12
Communicator

You can find the code here https://github.com/pax95/camel-splunk
and where the splunk connection is created ->
https://github.com/pax95/camel-splunk/blob/master/src/main/java/org/apache/camel/component/splunk/Sp...

I have imported the certificate i got when connecting to https://myhost:8089/ saved the certificate and imported it into Weblogic. Is there any other certificate from Splunk that I should use instead ?

0 Karma

preben12
Communicator

Nope - I just use the submit request on port 8089 using https - not tcp-ssl.
I haven't even gotten to send any data yet. Just trying to establish a connection.

0 Karma

preben12
Communicator

Sorry Weblogic version is 10.3.5

0 Karma

jonuwz
Influencer

Post your code. Are you using submit / attach / attachWith ?

Have you used this as a guideline ? link

Also, the cert you've imported has a CN of "DefaultSplunkCertificate" the HTTPS connection will not allow that because it doesn't match the hostname you are connecting to.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...