Install and configure Splunk DB Connect to be FIPS compliant
Since version 4.0.0
Splunk DB Connect supports FIPS capabilities. It uses FIPS-certified editions of Bouncy Castle Java, ensuring secure communication, encryption and private key handling, always using FIPS compliant algorithms and other related specifications.
Requirements
Splunk DB Connect requires a fresh installation to be FIPS compliant. This means that you cannot enable FIPS after upgrading from a version that does not support it, as it uses a different security provider, encryption algorithms, etc. Additionally, the Java keystore type used for FIPS environments is PKCS12
, while the default type is JKS
.
FIPS compliant installation
Please note that you cannot use Self-Service Application Installation (SSAI) to install Splunk DB Connect as FIPS compliant, as a number of manual actions are required.
- Download Splunk DB Connect from Splunkbase.
- Copy the
*.tgz
package to$SPLUNK_HOME/etc/apps
. - Extract the content from
*.tgz
package. - Set
fipsEnabled
totrue
in$SPLUNK_HOME/etc/apps/splunk_app_db_connect/config/dbx_task_server.yml
. - Set
fipsEnabled
totrue
in$SPLUNK_HOME/etc/apps/splunk_app_db_connect/config/dbxquery_server.yml
- Follow the steps described in the next section called Create Java KeyStore/TrustStore.
Notes:
Steps 4
and 5
can be replaced by creating SPLUNK_DBX_FIPS_ENABLED
environment variable with value set to true
.
Verify that only libraries containing fips
are present in $SPLUNK_HOME/etc/apps/splunk_app_db_connect/jars/libs
. If they exist, remove bcprov-jdk18on-*.jar
, bcutil-jdk18on-*.jar
and bcpkix-jdk18on-*.jar
. This prevents conflicts between FIPS and non-FIPS libraries.
Create the Java KeyStore/TrustStore
DB Connect will fail if it cannot validate the server certificate provided by Splunk (because it is a self-signed certificate, etc.). In such a case, you will need to create the keystore or truststore manually and initialize it with the trusted certificate.
- Go to
$SPLUNK_HOME/etc/apps/splunk_app_db_connect
. - Create a directory with name
keystore
. - Go to
$SPLUNK_HOME/etc/apps/splunk_app_db_connect/keystore
. - Create the KeyStore/TrustStore:
keytool -genkeypair -alias dbx -keyalg RSA -keysize 2048 -keystore default.p12 -storetype PKCS12 -storepass changeme
. Make sure the password ischangeme
, it will be changed automatically to a more secure one. However, you will be able to change it from the UI at any time. - Remove the previous entry (optional):
keytool -delete -alias dbx -keystore default.p12 -storepass changeme
- Add the CA certificate as a trusted:
keytool -importcert -alias splunk -file $SPLUNK_HOME/etc/auth/cacert.pem -keystore default.p12 -storetype PKCS12 -storepass changeme
- Make sure the trust certificate is present:
keytool -list -keystore default.p12 -storepass changeme -storetype PKCS12
. - Restart Splunk.
Troubleshooting
Certificate for <hostname> doesn't match any of the subject alternative names: [*.<domain>, <domain>]
Update the certificate to contain <hostname>
as subject alternative names (SAN) or update the hostname to match any of the SAN.
To update the hostname, run the following command:
$ sudo hostnamectl set-hostname <server>.<domain>
feature=ssl component=fips_security_manager action=load_trust_manager status=failed
Make sure $SPLUNK_HOME/etc/apps/splunk_app_db_connect/keystore/default.p12
exists and it has granted the right access.
Run the following command:
$ chmod -R 770 keystore/ $ chown -R splunk:splunk keystore/
Install and configure Splunk DB Connect on a Splunk Enterprise On-Premise distributed platform deployment | Check DB Connect installation health |
This documentation applies to the following versions of Splunk® DB Connect: 4.0.0
Feedback submitted, thanks!