Secure access to Splunk with HTTPS
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Secure access to Splunk with HTTPS
You can enable HTTPS (SSL) access from the browser to Splunk Web. You configure SSL through the Splunk Web Manager or web.conf. Splunk can listen on HTTPS or HTTP, but not both.
You can also use SSL for intra-Splunk communication over the management port and forwarder to receiver communication.
Note: Splunk Web does not currently support SSL key passphrases.
Important: If you are using Firefox 3, enabling SSL for a Splunk deployment may result in an "invalid security exception" being displayed in the browser. Refer to this workaround documentation for more information.
Enable HTTPS using Splunk Web Manager
To enable HTTPS through Splunk Web Manager, navigate to Manager > System settings > General Settings and select the Yes radio button underneath the Enable SSL (HTTPS) in Splunk Web setting.
Note: You must restart Splunk to enable the new settings. Also, you must now append "https://" to the URL you use to access Splunk Web.
Enable HTTPS by editing web.conf
You can enable HTTPS through web.conf. Edit this file in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see how configuration files work.
[settings] httpport = <port number> enableSplunkWebSSL = true
-
httpport- Set the port number to your HTTPS port.
-
enableSplunkWebSSL- Set this key to true to enable SSL for Splunk Web.
Once you have made the changes to web.conf, you must restart Splunk for the changes to take effect.
Change HTTPS certificates by editing web.conf
The certificates used for SSL between Splunk Web and the client browser are located in $SPLUNK_HOME/share/splunk/certs.
Important: Splunk STRONGLY recommends that you DO NOT use the default Splunk Web certificate. Use of the default Splunk Web certificate will not result in confidential data transmission.
The certificates to use for Splunk Web HTTPS are specified in web.conf under the [settings] stanza.
[settings] ... privKeyPath = /certs/privkey.pem caCertPath = /certs/cert.pem
Restart Splunk Web from the CLI for your changes to take effect. To use Splunk's CLI, navigate to the $SPLUNK_HOME/bin/ directory and use the ./splunk command:
./splunk restart splunkweb
Note: After changing the Splunk Web certificate, users may receive certificate warnings or be prompted by their browser to accept the new certificate.
Examples
Use a third-party certificate for Splunk Web
- Follow the instructions to generate a new certificate signing request (CSR) and receive a new certificate from your organization's root certificate authority here.
- Use the following openssl command on *nix:
openssl req -new -key $SPLUNK_HOME/share/splunk/certs/privkey.pem -out $SPLUNK_HOME/share/splunk/certs/newcert.csr
- Use the following openssl command on Windows:
openssl.exe req -new -key $SPLUNK_HOME\share\splunk\certs\privkey.pem -out $SPLUNK_HOME\share\splunk\certs\newcert.csr
- Optionally, you can generate or supply an alternative private key
- Use the following openssl command on *nix:
- Copy the certificate received from your CA into
$SPLUNK_HOME/share/splunk/certs/newcert.pem. - Create or modify the following entry under the
[settings]stanza in$SPLUNK_HOME/etc/system/local/web.conf-
caCertPath=/certs/newcert.pem
-
- Restart Splunk Web
$SPLUNK_HOME/bin/splunk restart splunkweb
Use genWebCert.py to generate a new private key and create a new self-signed Splunk Web certificate
- Follow the instructions for creating a new root certificate here
- Issue the following commands:
$ cd $SPLUNK_HOME $ mv ./share/splunk/certs/privkey.pem ./share/splunk/certs/privkey.pem.old $ mv ./share/splunk/certs/cert.pem ./share/splunk/certs/cert.pem.old $ ./bin/splunk cmd python ./bin/genWebCert.py Generating a 1024 bit RSA private key .....++++++ ..............++++++ writing new private key to 'privkeySecure.pem' ----- Signature ok subject=/CN=example.splunk.com/O=SplunkUser Getting CA Private Key writing RSA key $ ./bin/splunk restart splunkweb
- You can also use the above procedure to generate a new self-signed certificate if your self-signed certificate has expired.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.
Comments
Please add a comment to your thirdparty cert section that regarding the need for defining the following when splunk is not installed in the default location.
SPLUNK_HOME/share/splunk/certs/newcert.csr
hi Robert: this sounds more like a support question, or even better, something you can ask on answers.splunk.com.
my virtual Servers seems stuck (30minutes +) with "writing RSA key"
Do you have shortcut to speed this process up?
I think this is due to the lack of CPU cycles I get from me Virtualization platform - we had exavtly the same issue on the Prelude Platform.
I just dont remember whatit was - some kind of rng process ...
Regards
Robert
Looks like I pasted the incorrect information in my last post. The following should be more clear.
Note: if Splunk is installed anywhere but /opt/splunk, you will need to set the environment variable OPENSSL_CONF to the path to your Splunk installation's openssl.cnf.
$ export OPENSSL_CONF=$SPLUNK_HOME/openssl/openssl.cnf