Install and configure Splunk DB Connect to be FIPS compliant

Since version 4.0.0 Splunk DB Connect supports FIPS capabilities. It uses FIPS-certified editions of Bouncy Castle Java, ensuring secure communication, encryption and private key handling, always using FIPS compliant algorithms and other related specifications.

Requirements

Splunk DB Connect requires a fresh installation to be FIPS compliant. This means that you cannot enable FIPS after upgrading from a version that does not support it, as it uses a different security provider, encryption algorithms, etc. Additionally, the Java keystore type used for FIPS environments is PKCS12, while the default type is JKS.

FIPS compliant installation

Please note that you cannot use Self-Service Application Installation (SSAI) to install Splunk DB Connect as FIPS compliant, as a number of manual actions are required.

1. Download Splunk DB Connect from Splunkbase.
2. Copy the *.tgz package to $SPLUNK_HOME/etc/apps.
3. Extract the content from *.tgz package.
4. Set fipsEnabled to true in $SPLUNK_HOME/etc/apps/splunk_app_db_connect/config/dbx_task_server.yml.
5. Set fipsEnabled to true in $SPLUNK_HOME/etc/apps/splunk_app_db_connect/config/dbxquery_server.yml
6. Follow the steps described in the next section called Create Java KeyStore/TrustStore.

Notes:

Steps 4 and 5 can be replaced by creating SPLUNK_DBX_FIPS_ENABLED environment variable with value set to true.

Verify that only libraries containing fips are present in $SPLUNK_HOME/etc/apps/splunk_app_db_connect/jars/libs. If they exist, remove bcprov-jdk18on-*.jar, bcutil-jdk18on-*.jar and bcpkix-jdk18on-*.jar. This prevents conflicts between FIPS and non-FIPS libraries.

Create the Java KeyStore/TrustStore

DB Connect will fail if it cannot validate the server certificate provided by Splunk (because it is a self-signed certificate, etc.). In such a case, you will need to create the keystore or truststore manually and initialize it with the trusted certificate.

1. Go to $SPLUNK_HOME/etc/apps/splunk_app_db_connect.
2. Create a directory with name keystore.
3. Go to $SPLUNK_HOME/etc/apps/splunk_app_db_connect/keystore.
4. Create the KeyStore/TrustStore: keytool -genkeypair -alias dbx -keyalg RSA -keysize 2048 -keystore default.p12 -storetype PKCS12 -storepass changeme. Make sure the password is changeme, it will be changed automatically to a more secure one. However, you will be able to change it from the UI at any time.
5. Remove the previous entry (optional): keytool -delete -alias dbx -keystore default.p12 -storepass changeme
6. Add the CA certificate as a trusted: keytool -importcert -alias splunk -file $SPLUNK_HOME/etc/auth/cacert.pem -keystore default.p12 -storetype PKCS12 -storepass changeme
7. Make sure the trust certificate is present: keytool -list -keystore default.p12 -storepass changeme -storetype PKCS12.
8. Restart Splunk.

Troubleshooting

Certificate for <hostname> doesn't match any of the subject alternative names: [*.<domain>, <domain>]

Update the certificate to contain <hostname> as subject alternative names (SAN) or update the hostname to match any of the SAN.

To update the hostname, run the following command:

$ sudo hostnamectl set-hostname <server>.<domain>

feature=ssl component=fips_security_manager action=load_trust_manager status=failed

Make sure $SPLUNK_HOME/etc/apps/splunk_app_db_connect/keystore/default.p12 exists and it has granted the right access.

Run the following command:

$ chmod -R 770 keystore/
$ chown -R splunk:splunk keystore/