Splunk Stream

Installation and Configuration Manual

Download manual as PDF

This documentation does not apply to the most recent version of StreamApp. Click here for the latest version.
Download topic as PDF

Use SSL keys for decryption

You can use SSL private key to decrypt data captured by Splunk_TA_stream, provided that the data is encrypted using an RSA cipher that uses the same private key.

By default, some web servers can negotiate session ciphers that do not use RSA private keys. These ephemeral key exchange protocols (such as Diffie-Hellman) make it impossible for any passive observer to decrypt the traffic, and are therefore not supported by Stream.

To ensure that Stream can intercept all of your encrypted traffic, you might need to disable support for ephemeral ciphers on your web server. This does not make your web server less secure, because the web server uses equally effective alternative ciphers for the connection.

Add SSL Private Key

  1. Confirm that your SSL key is a PEM private key file. For example:
    -----BEGIN ENCRYPTED PRIVATE KEY-----
    MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIS2qgprFqPxECAggA
    MBQGCCqGSIb3DQMHBAgD1kGN4ZslJgSCBMi1xk9jhlPxP3FyaMIUq8QmckXCs3Sa
    9g73NQbtqZwI+9X5OhpSg/2ALxlCCjbqvzgSu8gfFZ4yo+Xd8VucZDmDSpzZGDod
    A .... MANY LINES LIKE THAT .... .... MANY LINES LIKE THAT .... 
    X0R+meOaudPTBxoSgCCM51poFgaqt4l6VlTN4FRpj+c/WZeoMM/BVXO+nayuIMyH
    blK948UAda/bWVmZjXfY4Tztah0CuqlAldOQBzu8TwE7WDwo5S7lo5u0EXEoqCCq
    H0ga/iLNvWYexG7FHLRiq5hTj0g9mUPEbeTXuPtOkTEb/0ckVE2iZH9l7g5edmUZ
    GEs=
    -----END ENCRYPTED PRIVATE KEY-----
    
  2. Go to $SPLUNK_HOME/etc/apps/Splunk_TA_stream/linux_x86_64/bin.
  3. Use the streamfwd --addsslkey command to add the PEM private key file:
     ./streamfwd --addsslkey <key_name> <pem_file> <password>
    

    This adds the new private key file to $SPLUNK_HOME/etc/apps/Splunk_TA_stream/local/keystore.db. keystore.db protects SSL keys using an AES-256 cipher.

  4. Restart streamfwd:
    1. Go to Settings > Data Inputs.
    2. Click on Wire Data.
    3. Locate the streamfwd data input. Click Disable then click Enable.

Note: If you want to push your private key out to multiple forwarders, either copy your Splunk_TA_stream directory to your forwarders, or copy Splunk_TA_stream into $SPLUNK_HOME/etc/deployment-apps and use the deployment server to distribute the add-on.

Convert PFX files to PEM files

Windows servers often use .pfx files instead of .pem files. You can convert .pfx files to .pem files using this openSSL command:

openssl pkcs12 -in CUSTOMERSKEY.pfx -nocerts -out KEYFORSTREAM.pem -nodes</code>
PREVIOUS
Configure universal forwarder for Splunk_TA_stream
  NEXT
streamfwd command line options

This documentation applies to the following versions of Splunk Stream: 6.5.0, 6.5.1, 6.6.0, 6.6.1, 6.6.2, 7.0.0, 7.0.1, 7.1.0, 7.1.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters