SSL
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
SSL
The Splunk management port (default 8089) supports both SSL and plain text connections. SSL is turned on by default. To make changes to SSL settings, edit server.conf
Important: If you are using Firefox 3, enabling SSL for a Splunk deployment may result in an "invalid security exception" being displayed in the browser. Refer to this workaround documentation for more information.
Configuration
When the Splunk Server is turned on for the first time, the server will generate a certificate for that instance. This certificate is stored in the $SPLUNK_HOME/etc/auth/ directory by default.
You can change SSL settings by editing $SPLUNK_HOME/etc/bundles/local/server.conf. Copy server.conf from $SPLUNK_HOME/etc/bundles/default/ to ../bundles/local/.
[sslConfig] enableSplunkdSSL = true/false enableSplunkSearchSSL = true/false keyfile = server.pem keyfilePassword = password caCertFile = cacert.pem caPath = $SPLUNK_HOME/etc/auth certCreateScript = genSignedServerCert.sh
-
enableSplunkdSSL= Setting this boolean key totrueenables SSL in Splunk. -
enableSplunkSearchSSL= This boolean key enables SSL in SplunkWeb. -
keyfile= Certificate for this Splunk instance (created on Splunk start-up by default - if thecertCreateScripttag is present).- IMPORTANT: The path to the keyfile is relative to
$SPLUNK_HOME. If your keyfile is kept outside$SPLUNK_HOME, you will need to specify a full path outside of$SPLUNK_HOMEto reach it.
- IMPORTANT: The path to the keyfile is relative to
-
keyfilePassword= Password for the pem file store, is set topassword/by default. -
caCertFile= This is the name of the certificate authority file. -
caPath= Path where the Splunk certificates are stored. Default is$SPLUNK_HOME/etc/auth. -
certCreateScript= Script for creating & signing server certificates.
On startup the server will generate a certificate in the caPath directory.
Enable SSL
To enable SSL in SplunkWeb simply set the enableSplunkSearchSSL key to TRUE.
Deactivate SSL
To deactivate SSL, simply set enableSplunkdSSL to FALSE. This will disable SSL.
Certificate Authority (CA)
By default, all Splunk servers use the same CA. The CA's public and private keys are distributed with Splunk. This allows Splunk instances to connect to each other out of the box and to allow users to regenerate their server certs and sign them.
You can change this default behavior. There are two scripts located in $SPLUNK_HOME/bin that will let you generate your own CA and sign your server certificates.
- genRootCA.sh
This script generates a Root CA. It will output the files cacerts.pem (public key) and ca.pem (public/private password protected PEM).
- genSignedServerCert.sh
This script generates a certificate and will attempt to sign it by using ca.pem.
SSL for SplunkWeb
The certificate used for SSL between SplunkWeb and the client browser is located in $SPLUNK_HOME/share/splunk/certs. You can replace the self-signed default certificate with your own. Restart SplunkWeb from the CLI to have your changes take effect. To use Splunk's CLI, navigate to the $SPLUNK_HOME/bin/ directory and use the ./splunk command. You can also add Splunk to your path and use the splunk command.
./splunk restart splunkweb
If your self-signed cert for SplunkWeb expires, you can generate a new one by deleting cert.pem and privkey.pem in $SPLUNK_HOME/share/splunk/certs and restarting Splunk.
This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4 View the Article History for its revisions.