search cancel

Integrated Cyber Defense Exchange (ICDx) Splunk forwarder module fails due to problem loading certificate file

book

Article ID: 200323

calendar_today

Updated On:

Products

Integrated Cyber Defense Exchange ICDx

Issue/Introduction

When you try to start the ICDx Splunk forwarder, the forwarder does not start and errors are found in the forwarder logs.

The following error is listed in the forwarder logs:

2020-09-17 01:07:11,746 [main] ERROR lifecycle - Failed to load the service's modules: com.symantec.splunk.SplunkHttpWriterModule: Unable to load configuration: Splunk
com.symantec.lib.app.ModuleLoaderError: com.symantec.splunk.SplunkHttpWriterModule: Unable to load configuration: Splunk
...

Caused by: java.lang.reflect.InvocationTargetException: null
...

Caused by: java.lang.reflect.InvocationTargetException: null
...

Caused by: com.symantec.http.support.CreateExecutorException: Problem loading certificate file: /path/to/splunk_cert.pem
...

Caused by: java.io.FileNotFoundException: /path/to/splunk_cert.pem (No such file or directory)
...

The error has been edited for brevity. The "/path/to/splunk_cert.pem" is the value in the "SSL Certificate Path" configuration.

Cause

The issue occurrs when the ICDx forwarder is configured to use and verify SSL(TLS) but the ICDx software is not able to read the Splunk certificate that has been stored in the local filesystem.

 

Environment

Release : 1.4.1

Component : Splunk Forwarder

Resolution

To resolve this issue, verify that the certificate path and filename are correct, and that the permissions and ownership for the full path and file allow the ICDx user account (icdx by default) to read the file.