ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Integrated Cyber Defense Exchange (ICDx) Splunk forwarder module fails due to certificate validation errors

book

Article ID: 200331

calendar_today

Updated On:

Products

Integrated Cyber Defense Exchange ICDx

Issue/Introduction

The ICDx Splunk forwarder is configured to use and verify SSL(TLS). When you try to start the ICDx Splunk forwarder, the forwarder does not start and errors are found in the forwarder logs.

Similar to the following error is listed in the forwarder logs:

2020-09-23 12:43:15,955 [Splunk] WARN  com.symantec.http.support.HttpRequester -Send to Splunk 1, 100 event(s), 296830 bytes (uncompressed) attempt 1 - sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

2020-09-23 12:43:15,957 [Splunk] WARN  com.symantec.splunk.SplunkHttpWriterModule - SSL handshake problem. The Splunk server's certificate cannot be validated against to the certificate supplied in the SSL Certificate Path. Try changing the supplied certificate, or replacing the SSL certificates in Splunk, or disabling SSL verification.

Double-check settings:

    * Use SSL: true

    * Use SSL Verification: false

      (ignored because SSL Certificate Path is supplied)

    * SSL Certificate Path: /path/to/splunk_cert.pem

    * Use Hostname Verification: false

      (only applies when using SSL Certificate Path)

    * Host: ###.###.###.###

    * Port: 8088

    * Token: ****

    * Index not specified

    * Source Type not specified

    * Use Proxy: false

The "/path/to/splunk_cert.pem" is the value in the "SSL Certificate Path" configuration.

Cause

The issue occurs when the certificate found in the "SSL Certificate Path" configuration does not match the certificate used by the Splunk service.

Environment

Release : 1.4.1

Component : Splunk forwarder

Resolution

To resolve this issue, ensure that the certificate found in the "SSL Certificate Path" is the same as that used by Splunk, or that nothing in the network path might be interfering with the certificate validation, such as a firewall or network device doing TLS deep inspection.