Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Unable to configure SSL even with built-in certs

Docjowles
New Member
‎09-29-2010 06:07 PM

Splunk 4.1.5, CentOS 5.5 64-bit

I am trying to configure SSL for forwarding/receiving data, a-la this question: http://answers.splunk.com/questions/397/how-to-configure-ssl-for-forwarding-and-receiving-data

However something is going wrong, and I keep getting the following in the splunk logs at startup:

09-29-2010 11:54:34.501 INFO  TcpInputProc - SSL cipherSuite=ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
09-29-2010 11:54:34.501 INFO  TcpInputProc - supporting SSL v2/v3
09-29-2010 11:54:34.501 ERROR SSLCommon - Can't read key file /opt/splunk/etc/auth/server.pem
09-29-2010 11:54:34.501 ERROR TcpInputProc - SSL server certificate not found, or password is wrong - SSL ports will not be opened
09-29-2010 11:54:34.523 INFO  TcpInputProc - port 9998 is reserved for splunk 2 splunk (SSL)

Since I can't get the receiver to work, I haven't bothered trying the forwarder yet, so I will omit that info unless asked. Here is the configuration of the receiver:

$SPLUNK_HOME/etc/system/local/server.conf:

[sslConfig]
caPath = /opt/splunk/etc/auth
certCreateScript = /opt/splunk/bin/genSignedServerCert.py
sslKeysfilePassword = <hashed password is here>
supportSSLV3Only = true

$SPLUNK_HOME/etc/apps/search/local/inputs.conf:

[SSL]
serverCert=/opt/splunk/etc/auth/server.pem
password=<unhashed password is here>
requireClientCert = false
RootCA=/opt/splunk/etc/auth/cacert.pem

[splunktcp-ssl:9998]
compressed = true

I have tried this with the built-in certs and also regenerating them all with genRootCA.sh and genSignedServerCert.sh. Either way I get the same error on startup. I have tried using "password" with no quotes for both password fields, as well as using a custom password when I generated my own certs. Neither one worked.

I checked permissions and they look fine, and I get errors even if I try to run Splunk as root. I can su to the splunk user and ls/cat the cert files just fine.

ls -la
total 36
drwx------  2 splunk splunk 4096 Sep 29 11:53 .
drwxr-xr-x 19 root   root   4096 Sep 29 11:40 ..
-rw-r--r--  1 splunk splunk  863 Sep 29 11:50 cacert.pem
-rw-r--r--  1 splunk splunk  963 Sep 29 11:50 cakey.pem
-rw-r--r--  1 splunk splunk 1826 Sep 29 11:50 ca.pem
-rw-r--r--  1 splunk splunk  660 Sep 29 11:50 careq.pem
-rw-r--r--  1 splunk splunk   17 Sep 29 11:53 ca.srl
-rw-r--r--  1 splunk splunk 2673 Sep 29 11:53 server.pem
-r--------  1 splunk splunk  255 Sep 29 11:40 splunk.secret

This is driving me up the wall, any insight into what I am doing wrong would be appreciated!

Tags (1)
0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎09-30-2010 05:34 PM

Did you restart Splunk after you input the unhashed password? Did you verify using lsof or netstat that the port was not actually open?

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎09-30-2010 04:31 PM

Hexx has done some serious study on this and has a working recipe with SSL mutual auth.

http://answers.splunk.com/questions/7164/how-do-i-set-up-ssl-forwarding-with-new-self-signed-certifi...

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...