Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Implementing Bi-directional SSL on Splunkd with 3rd Party CA

schmoud
Engager
‎10-03-2011 01:04 PM

For my Splunk application I am required to implement bi-directional SSL using client and server certs on the Splunkd server with the intent of using the REST API. As an initial test I got one way ssl to work by following this as a rough guide, even though it is for Splunk Web. I am trying to just get it working in the browser (Firefox) before moving onto my custom application.

http://www.splunk.com/wiki/Community:SplunkWeb_SSL_3rdPartyCA

I added to my $SPLUNK_HOME/etc/system/local/server.conf under the [sslConfig] stanza

caCertFile = [pem file of for CA's public key]
sslKeysFile = [my concatenated key file]

-----BEGIN CERTIFICATE-----

[signed public key of server cert received from CA]

-----END CERTIFICATE-----

-----BEGIN RSA PRIVATE KEY-----

[private key of server cert]

-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----

[public key of CA cert]

-----END CERTIFICATE-----

sslKeysFilePassword = [splunk encrypted password]

All certificate files are in $SPLUNK_HOME/etc/auth/

I have set up a test CA on a separate machine where I create and sign certificates using OpenSSL.

One way SSL worked fine with this setup.

I added the requireClientCert = true to the server.conf file as well as generating a client certificate signed by the same CA with similar procedures to the ones used to create the server cert, this time creating a .pfx cert for browser installation.

Now when trying to access https://[splunkserverip]:8089 I get the option to pick my client cert (i have generated a couple client certs) and each time after I pick the client cert I have installed in the browser I get:

Error loading stylesheet: An unknown error has occurred (804b0014)
https://[splunkserverip]:8089/static/atom.xsl

and in the splunkd.log I see 10 repetitions of for ports 55565 - 55574

ERROR TcpInputFd - SSL Error = error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context uninitialized

ERROR TcpInputFd - ACCEPT_RESULT=-1 VERIFY_RESULT=0

ERROR TcpInputFd - SSL Error for fd from HOST:[host] IP:[ip] PORT:[port]

Any references, suggestions, debugging methods, or solutions would be appreciated!

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎10-03-2011 03:33 PM

well, this may or may not be a bug, or it may be an artifact in the browser, or even just a bug in the broswer, but it shouldn't make any difference to you API access if you can get a URLs under /services/* without error. Chrome and Firefox try to fetch the stylesheets, but you might be able to disable that in the browser. If not, you can turn it off in Splunk with the atomFeedStylesheet = none in server.conf.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎10-03-2011 03:33 PM

well, this may or may not be a bug, or it may be an artifact in the browser, or even just a bug in the broswer, but it shouldn't make any difference to you API access if you can get a URLs under /services/* without error. Chrome and Firefox try to fetch the stylesheets, but you might be able to disable that in the browser. If not, you can turn it off in Splunk with the atomFeedStylesheet = none in server.conf.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...