Security

How do I resolve X509Verify default certificate warnings?

zeespl
Explorer

I see the below warnings in the splunkd.log files on all my Splunk instances.

Could you please advise on how to resolve these? or can we ignore them?

WARN  X509Verify - X509 certificate (O=SplunkUser,CN=SplunkServerDefaultCert) should not be used, as it is issued by Splunk's own default Certificate Authority (CA). This puts your Splunk instance at very high-risk of the MITM attack. Either commercial-CA-signed or self-CA-signed certificates must be used; see: 
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@zeespl,

As mentioned in the warning itself, default certificates are not considered highly secure. Anyone who has downloaded Splunk Enterprise has server certificates signed by the same root certificate and are able to authenticate to your certificates. To ensure that no one can easily snoop on your traffic or wrongfully send data to your indexers, SPLUNK recommend that you replace them with signed certificates.

You can either use a self signed certificate as mentioned in https://docs.splunk.com/Documentation/Splunk/7.1.2/Security/Howtoself-signcertificates

Or

Use a third party certificate : https://docs.splunk.com/Documentation/Splunk/7.1.2/Security/Howtogetthird-partycertificates

The decision is purely based on your Organizational requirements. Normally self signed certificates are used in test/dev environment and external certificates are used in PROD. However, as mentioned , its purely depends on your data/environment security requirements and also the network zone you have set up your splunk infra. If it's exposed to "outside" world, it's always advised to use a proper certificate.

Also see : https://conf.splunk.com/session/2015/conf2015_DWaddle_DefensePointSecurity_deploying_SplunkSSLBestPr...

Happy Splunking!
0 Karma

zeespl
Explorer

Thanks Renjith.

We have a single splunk instance running, doing the job of both search head and indexer. On it i can't see any such warnings. No self signed or third party certificate is placed on it apart from splunk default ones.

One the new set up where we have separate servers for search head and indexer, I am getting this warning in logs.

The warnings should come on both, if default ones are not trust worthy.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@zeespl, the certificates are being used when there is a connection from server A to Server B. If you have a standalone host, then there might not be any incoming/outgoing traffic. On the other hand when the search heads and indexers are on different machine, then it require connection between different machines and hence the warning. Hope that helps!

Happy Splunking!
0 Karma

zeespl
Explorer

@renjith.nair , In standalone set up also there is incoming/outgoing traffic from forwarders. Does this not require certificate?

Or is it just for internal communication between search head and indexers.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Depends on your set up. Have you enabled SSL between forwarder and indexer?

Happy Splunking!
0 Karma

zeespl
Explorer

No.. I have not configured forwarders as of now..we just have search head and 2 indexer peers..

How can we check whether SSL is enabled or not?

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Here is a summary of SSL traffic : http://docs.splunk.com/Documentation/Splunk/7.1.3/Security/AboutsecuringyourSplunkconfigurationwithS...

To check your traffic between forwarder and indexer : Check if the following configurations are set.

http://docs.splunk.com/Documentation/Splunk/7.1.3/Security/ConfigureSplunkforwardingtousethedefaultc...

Happy Splunking!
0 Karma

zeespl
Explorer

I can't find anything in inputs.conf file.

Would you mind sharing the exact steps to create, place and configure certificates in my set up. one search head and 2 indexers.

How can i procure third party signed certificates and how many of these required and of what type?

0 Karma

renjith_nair
SplunkTrust
SplunkTrust
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...