Add SSL keys for decryption
You can use a SSL private key to decrypt data captured by Splunk_TA_stream, provided that the data is encrypted using an RSA cipher that uses the same private key.
By default, some web servers can negotiate session ciphers that do not use RSA private keys. These ephemeral key exchange protocols (such as Diffie-Hellman) make it impossible for any passive observer to decrypt the traffic, and are therefore not supported by Stream.
To ensure that Stream can intercept all of your encrypted traffic, you might need to disable support for ephemeral ciphers on your web server. This does not make your web server less secure, because the web server uses equally effective alternative ciphers for the connection.
Add SSL Private Key
1. Confirm that your SSL key is a PEM private key file. For example:
-----BEGIN ENCRYPTED PRIVATE KEY----- MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIS2qgprFqPxECAggA MBQGCCqGSIb3DQMHBAgD1kGN4ZslJgSCBMi1xk9jhlPxP3FyaMIUq8QmckXCs3Sa 9g73NQbtqZwI+9X5OhpSg/2ALxlCCjbqvzgSu8gfFZ4yo+Xd8VucZDmDSpzZGDod A .... MANY LINES LIKE THAT .... .... MANY LINES LIKE THAT .... X0R+meOaudPTBxoSgCCM51poFgaqt4l6VlTN4FRpj+c/WZeoMM/BVXO+nayuIMyH blK948UAda/bWVmZjXfY4Tztah0CuqlAldOQBzu8TwE7WDwo5S7lo5u0EXEoqCCq H0ga/iLNvWYexG7FHLRiq5hTj0g9mUPEbeTXuPtOkTEb/0ckVE2iZH9l7g5edmUZ GEs= -----END ENCRYPTED PRIVATE KEY-----
Note: Windows servers often use .pfx files instead of .pem. Convert your .pfx files to .pem using the following command.
openssl pkcs12 -in CUSTOMERSKEY.pfx -nocerts -out KEYFORSTREAM.pem -nodes
2. Navigate to http://localhost:8889 (replace localhost with the server name as appropriate). The Stream Forwarder admin interface appears.
3. Click Edit SSL Keys. The Edit SSL Keys dialog opens.
4. In the Name field, enter the unique name of your SSL key. In the Password field, enter the passphrase for your SSL key.
5. Copy and paste the entire contents of your PEM private key file into the space provided. Click Save key.
This updates the
keystore.db file located in your
$SPLUNK_HOME/etc/apps/Splunk_TA_stream/local directory. The
keystore.db protects SSL keys using an AES-256 cipher.
6. Restart streamfwd:
a. Go to Settings > Data Inputs.
b. Click on Wire Data.
c. Locate the "streamfwd" data input in the list. Click Disable and then Enable.
If you want to push your private key out to multiple forwarders, either copy your
Splunk_TA_stream directory to your forwarders, or copy
$SPLUNK_HOME/etc/deployment-apps and use the deployment server to distribute the add-on.
For more information on support for SSL decryption, see Does Splunk App for Stream support decrypting TLS connections? in Splunk Answers.
Configure Stream forwarder
This documentation applies to the following versions of Splunk Stream™: 6.3.0, 6.3.1, 6.3.2, 6.4.0, 6.4.1, 6.4.2