Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to configure SSL universal forwarder and receiver?

atixx
New Member
‎08-27-2014 01:06 AM

hey

I configure an SSL forward.
But I have this error :

Forwarder - Error :

TcpInputConfig - SSL clause not found or servercert not provided - SSL ports will not be available
ERROR SSLCommon - Can't read certificate file /root/ca/requests/splunk3-key.pem errno=151441516 error:0906D06C:PEM routines:PEM_read_bio:no start line
08-27-2014 09:29:16.110 +0200 ERROR TcpOutputProc - Error initializing SSL context - invalid sslCertPath for server 2.2.2.2:1000

Receiver -error :

08-27-2014 09:42:16.327 +0200 ERROR SSLCommon - Can't read certificate file /root/ca/extern/splunk3-key.pem errno=151441516 error:0906D06C:PEM routines:PEM_read_bio:no start line
08-27-2014 09:42:16.327 +0200 ERROR TcpInputConfig - SSL server certificate not found, or password is wrong - SSL ports will not be opened
08-27-2014 09:42:16.327 +0200 ERROR TcpInputConfig - SSL context not found. Will not open splunk 2 splunk (SSL) IPv4 port 1000

In receiver :

/root/ca/extern/:
-rw------- 1 root root 1919 Aug 27 08:25 cacert.pem
-rw------- 1 root root 1751 Aug 27 08:25 splunk3-key.pem

inputs.conf

[splunktcp-ssl://1000]
    compressed = true
    connection_host = 1.1.1.1
    queueSize=1MB
    persistentQueueSize=4GB
    _TCP_ROUTING = splunk3-ad

[SSL]
    password = my_password
    requireClientCert = false
    rootCA = /root/ca/extern/cacert.pem
    serverCert = /root/ca/extern/splunk3-key.pem

In forwarder :

/root/ca/requests:
-rw-r--r-- 1 root root  960 Aug 27 08:15 splunk3-cert.csr
-rw-r--r-- 1 root root    0 Aug 27 08:16 splunk3-cert.pem
-rw-r--r-- 1 root root 1751 Aug 27 08:12 splunk3-key.pem

outputs.conf

[tcpout]
    backoffOnFailure = 5
    channelReapInterval = 60000
    channelReapLowater = 10
    channelTTL = 60
    compressed = true
    defaultGroup = syslog-ad,file-rweb
    dnsResolutionInterval = 300
    negotiateNewProtocol = true
    readTimeout = 900
    useACK = true
    writeTimeout = 5
    indexAndForward = 0

[tcpout:syslog-ad]
    server = 2.2.2.2:1000
    maxQueueSize = 10MB
    dropEventsOnQueueFull = -1
    sslCertPath = /root/ca/requests/splunk3-key.pem
    sslPassword = my_password
    sslRootCAPath = /root/ca/cacert.pem
    usesslCompression = true
    sslVerifyServerCert = false
    #useClientSSLCompression = true

Someone have any ideas ?

Thanks

0 Karma
Reply

DerekKing
Path Finder
‎08-27-2014 01:33 AM

Hi,

I'm not sure on your specific error, but it could be down to missing or incorrectly placed private keys.

Have a look at this wiki, and see if it helps. I'm sure someone more educated than me will be along to help with more specifics soon.

http://wiki.splunk.com/Community:SplunkWeb_SSL_SelfSignedCert_NewRootCA

Regards
Derek

Reply

DerekKing
Path Finder
‎08-27-2014 03:21 AM

Have you generated the private key on the right server ? It looks to me like you generated it on the forwarder ?

The key generation should be done on the Indexer I believe.

Derek

0 Karma
Reply

atixx
New Member
‎08-27-2014 02:42 AM

I try this :

mkdir mycerts
export OPENSSL_CNF=/opt/splunkforwarder/openssl/openssl.cnf 
cd mycerts/
openssl genrsa -des3 -out myCAKey.key 2048
openssl req -new -key myCAKey.key -out myCACert.csr
openssl x509 -req -in myCACert.csr -signkey myCAKey.key -out myCACert.pem -days 3650
openssl genrsa -des3 -out slk-private.key 2048
openssl rsa -in slk-private.key -out slk-private.key 
openssl rsa -in slk-private.key -text
openssl req -new -key slk-private.key -out slk-Cert.csr 
openssl x509 -req -in slk-Cert.csr -CA myCACert.pem -CAkey myCAKey.key -CAcreateserial -out slk-Cert.pem -days 1095
cat slk-Cert.pem myCACert.pem > slk-conc-Cert.pem

And in conf file (outputs), modifying path :

sslCertPath = /opt/splunkforwarder/etc/auth/mycerts/slk-conc-Cert.pem
sslPassword = my_password_no_hash
sslRootCAPath = /opt/splunkforwarder/etc/auth/mycerts/myCACert.pem

Logs outputs / errors : 

08-27-2014 11:33:03.403 +0200 ERROR SSLCommon - Can't read key file /opt/splunkforwarder/etc/auth/mycerts/slk-conc-Cert.pem errno=151441516 error:0906D06C:PEM routines:PEM_read_bio:no start line.
08-27-2014 11:33:03.403 +0200 ERROR TcpOutputProc - Error initializing SSL context - invalid sslCertPath for server 2.2.2.2:1000

Old erros with old certificates :

TcpInputConfig - SSL clause not found or servercert not provided - SSL ports will not be available
ERROR SSLCommon - Can't read certificate file /root/ca/requests/splunk3-key.pem errno=151441516 error:0906D06C:PEM routines:PEM_read_bio:no start line
08-27-2014 09:29:16.110 +0200 ERROR TcpOutputProc - Error initializing SSL context - invalid sslCertPath for server 2.2.2.2:1000

It's better than before, but not working.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...