Documentation > Splunk > Admin Manual > SSL setup for splunkd

Admin Manual

 


Overview
Setting Up Data Inputs
Authentication
Changing the Way Splunk Processes Your Data
Creating and Using Configuration Bundles
Configuring Your Sources
Splunk-2-Splunk Management
Integration
Managing Your Filesystem
How-To's

SSL setup for splunkd

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

SSL setup for splunkd

The management port (default 8089) supports both SSL and plaintext connections. SSL is turned on by default.


When the splunk server is turned on for the first time, the server will generate a certificate for that instance.


This cert goes in $SPLUNK_HOME/etc/auth by default. Their location can be changed by editing


splunkd.xml. As mentioned the configuration for SSL is located in the splunkd.xml file 


               <managementServer> 
                       <SSL> 
                               <keyfile>server.pem</keyfile> 
                               <keyfilePassword>password</keyfilePassword> 
                               <commonName><commonName> 
                               <caCertFile>cacert.pem</caCertFile> 
                               <caPath>$$SPLUNK_HOME]]/etc/auth</caPath> 
                               <certCreateScript>genSignedServerCert.sh</certCreateScript> 
                       </SSL> 
               </managementServer>

keyfile => certificate for this splunk instance. ( will be created on startup if the certCreateScript tag is present )


keyfilePassword => Password for the pem store, is set to password by default.


commonName => DNS name for the server or it's if DNS is not being used. It must be one of these two things or clients will not connect. caCertFile => cacerts file containing the common splunk CA


caPath => location of the certificates on disk.


certCreateScript => Script to creating & signing server certs.


If commonName is left blank the server will not turn on client server checks. This provides encrypted


connections but no auth or server checks. If the commonName is provided clients connection will


compare the commonName in the cert to the name of the host it's contacting. Checking of the signing CA


will also be performed when a commonName is provided.


To deactivate SSL just comment out the SSL section in the splunkd.xml config. search.xml will also have to


to be edited to change the tag 


       <managerURL>https://localhost:8089</managerURL>

To 


       <managerURL>http://localhost:8089</managerURL>

By default all splunk servers use the same CA. The CA's public and private keys are distributed with splunk. This


is to allow splunk instances to connect to each other out of the box and to allow users to re-generate their server


certs and sign them.


This behaviour may not be desirable for a variety of reasons. With that limitation in mind two scripts are provided


to aid the user to generate their own CA and sign their server certs with it.


This script will generate a Root ca. It will output the files cacerts.pem( public key) and ca.pem (public/private password protected PEM )


This script will generate a cert and will attempt to sign it by using ca.pem.


These scripts use openssl which is provided in the contrib bundle by splunk.


On startup the server will generate a cert in caPath directory. If commonName is provided it will be 'woven' into the cert


and it will turn on client side checks. So if commonName is supplied it assumes that other servers in the cluster will


also has properly formed certs with commonNames. This means there is no mix and match allowed, client side checks are everywhere


or they are no-where.


Advanced SSL features

the ssl stuff in the product has two modes. The one we ship with which is very simplistic.


It will encrypt data but till not attempt to do any verification of hosts connecting. It will


not check the certticicate chains either.


These features can be turned on by simply specifying a commonName in the SSL section


of splunkd.xml. This change must be made prior to starting the server, or the server.pem file


must be deleted after this variable is added ( it is embedded into the cert ).


Once a common name is supplied the server will start verifying the certificate chains and will also


check that the connecting host matches it's certiifcate name.


SSL for Splunkweb

The certificate used for SSL between Splunkweb and the client browser is located in $SPLUNK_HOME/share/splunk/certs. You can replace the self-signed default cert with your own. Restart Splunkweb ("splunk restart splunkweb") to have your changes take effect.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/2.2.3/Admin/SSLSetupForSplunkd"

This documentation applies to the following versions of Splunk: 2.1 , 2.2 , 2.2.1 , 2.2.3 , 2.2.6 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.