SSL
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
SSL
The Splunk management port (default 8089) supports both SSL and plain text connections. SSL is turned on by default. To make changes to SSL settings, edit server.conf.
Note: This only enables SSL for Splunk's back-end communication. To turn on SSL for the browser, see enable HTTPS.
Important: If you are using Firefox 3, enabling SSL for a Splunk deployment may result in an "invalid security exception" being displayed in the browser. Refer to this workaround documentation for more information.
Configuration
When the Splunk Server is turned on for the first time, the server will generate a certificate for that instance. This certificate is stored in the $SPLUNK_HOME/etc/auth/ directory by default.
You can change SSL settings by editing $SPLUNK_HOME/etc/bundles/local/server.conf. Copy server.conf from $SPLUNK_HOME/etc/bundles/default/ to ../bundles/local/.
[sslConfig] enableSplunkdSSL = true keyfile = server.pem keyfilePassword = password caCertFile = cacert.pem caPath = $SPLUNK_HOME/etc/auth certCreateScript = $SPLUNK_HOME/bin/genSignedServerCert.py
-
enableSplunkdSSL= Setting this boolean key totrueenables SSL in Splunk. -
keyfile= Certificate for this Splunk instance (created on Splunk start-up by default - if thecertCreateScripttag is present).
Note: The path to the keyfile is relative to$SPLUNK_HOME. If your keyfile is kept outside$SPLUNK_HOME, you will need to specify a full path outside of$SPLUNK_HOMEto reach it.
-
keyfilePassword= Password for the pem file store, is set topasswordby default. -
caCertFile= This is the name of the certificate authority file. -
caPath= Path where the Splunk certificates are stored. Default is$SPLUNK_HOME/etc/auth. -
certCreateScript= Script for creating & signing server certificates.
With the default script enabled, on startup, Splunk will generate a certificate in the caPath directory.
Deactivate SSL
To deactivate SSL, simply set enableSplunkdSSL to FALSE. This will disable SSL.
Certificate Authority (CA)
By default, all Splunk servers use the same CA. The CA's public and private keys are distributed with Splunk. This allows Splunk instances to connect to each other out of the box and to allow users to regenerate their server certs and sign them.
You can change this default behavior. There are two scripts located in $SPLUNK_HOME/bin that will let you generate your own CA and sign your server certificates.
- genRootCA.sh
This script generates a Root CA. It will output the files cacerts.pem (public key) and ca.pem (public/private password protected PEM).
- genSignedServerCert.sh
This script generates a certificate and will attempt to sign it by using ca.pem.
This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 View the Article History for its revisions.