Secure access to your Splunk server with SSL

Secure access to your Splunk server with SSL

Overview

The Splunk management port (default 8089) supports both SSL and plain text connections. SSL is turned on by default for communications among Splunk servers. Distributed search will often perform better with SSL enabled because of its built-in data compression.

To make changes to SSL settings, edit server.conf.

Important: If you are using Firefox 3, enabling SSL for a Splunk deployment may result in an "invalid security exception" being displayed in the browser. Refer to this workaround documentation for more information.

Note: This only enables SSL for Splunk's back-end communication. To turn on SSL for the browser, see "Secure access to Splunk with HTTPS".

Working with SSL settings

When the Splunk server is turned on for the first time, the server generates a certificate for that instance. This certificate is stored in the $SPLUNK_HOME/etc/auth/ directory by default.

Change SSL settings by editing $SPLUNK_HOME/etc/system/local/server.conf. Edit this file in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see how configuration files work.

[sslConfig]
enableSplunkdSSL = true
sslKeysfile = server.pem
sslKeysfilePassword = password
caCertFile = cacert.pem
caPath = $SPLUNK_HOME/etc/auth
certCreateScript = $SPLUNK_HOME/bin/genSignedServerCert.py

• enableSplunkdSSL = Setting this boolean key to true enables SSL in Splunk.
• keyfile = Certificate for this Splunk instance (created on Splunk start-up by default - if the certCreateScript tag is present).

Note: The path to the keyfile is relative to the caPath setting. If your keyfile is kept outside $SPLUNK_HOME, you must specify a full (absolute) path outside of $SPLUNK_HOME to reach it.

• keyfilePassword = Password for the pem file store, is set to password by default.
• caCertFile = This is the name of the certificate authority file.
• caPath = Path where the Splunk certificates are stored. Default is $SPLUNK_HOME/etc/auth.
• certCreateScript = Script for creating & signing server certificates.

With the default script enabled, on startup, Splunk will generate a certificate in the caPath directory.

Deactivate SSL

To deactivate SSL, simply set enableSplunkdSSL to FALSE. This will disable SSL.

Note: Running splunkd without SSL is not generally recommended. Distributed search will often perform better with SSL enabled.

Disable SSLv2

To disable SSLv2 and tell the HTTP server to only accept connections from SSLv3 clients, include the supportSSLV3Only attribute and set it to TRUE. By default, this setting is FALSE.

Distribute key files to distributed search peers

To learn how to distribute key files to distributed search peers, look in the section on configuring distributed search: "Distribute the key files".

Generate a new root certificate

By default, all Splunk servers use the same root certificate. This allows Splunk instances to connect to each other out of the box.

Important: Splunk STRONGLY recommends that you DO NOT use the default root certificate. Use of the default root certificate will not result in confidential transmission of data.

$SPLUNK_HOME/bin/genRootCA.sh allows you to create a root certificate to be used in creating subsequent server and web certificates.

genRootCA.sh

Run this script when you want to regenerate the certificates Splunk uses. It generates cacerts.pem (public key) and ca.pem (public/private password protected PEM). When you run it, it checks to see if certs are already in place, and if they are, prompts you to overwrite them. It then wraps these files into an X509-formatted cert. Distribute cacerts.pem to clients as desired and keep ca.pem in a secure location.

genRootCA.sh Example

The following example generates a new root certificate and private key pair at $SPLUNK_HOME/etc/auth/ca.pem.

Note: if Splunk is installed anywhere but /opt/splunk or C:\Program Files\Splunk, you will need to set the environment variable OPENSSL_CONF to the path to your Splunk installation's openssl.cnf.

$ export OPENSSL_CONF=$SPLUNK_HOME/openssl/openssl.cnf
$ cd $SPLUNK_HOME
$ ./bin/genRootCA.sh  -d ./splunk/etc/auth/
There is ca.pem in this directory. If you choose to replace the CA then splunk servers will require 
new certs signed by this CA before they can interact with it.
Do you wish to replace the CA ? [y/N]
y
rm: cacert.pem: No such file or directory
This script will create a root CA
It will output two files. ca.pem cacert.pem
Distribute the cacert.pem to all clients you wish to connect to you.
Keep ca.pem for safe keeping for signing other clients certs
Remember your password for the ca.pem you will need to later to sign other client certs
Your root CA will expire in 10 years
Generating a 1024 bit RSA private key
..++++++
...........++++++
writing new private key to 'cakey.pem'
-----
Signature ok
subject=/C=US/ST=CA/L=SanFrancisco/O=SplunkInc/CN=SplunkCA/O=SplunkUser
Getting Private key
subject= /C=US/ST=CA/L=SanFrancisco/O=SplunkInc/CN=SplunkCA/O=SplunkUser
issuer= /C=US/ST=CA/L=SanFrancisco/O=SplunkInc/CN=SplunkCA/O=SplunkUser
notBefore=Apr 22 16:40:09 2010 GMT
notAfter=Apr 19 16:40:09 2020 GMT

Generate a new signed certificate and private key pair

By default, all Splunk servers use a certificate signed by the common root certificate discussed above. This allows Splunk instances to connect to each other out of the box.

Important: Splunk STRONGLY recommends that you DO NOT use the default self-signed certificate. Use of these default certificate will not result in confidential transmission of data.

$SPLUNK_HOME/bin/genSignedServerCert.sh allows you to create a new private key and server certificate using the current Splunk root certificate.

genSignedServerCert.sh

This shell script is a wrapper for the Python script that Splunk runs to generate certificates when you start it for the first time. This script creates a CSR (certificate signing request), self-signs it, and outputs a signed private key and certificate pair.

genSignedServer.sh Example

The following example will generate a new private key and new server certificate for the server example.splunk.com which is signed against the local Splunk root certificate.

$ cd $SPLUNK_HOME
$ /bin/genSignedServerCert.sh -d ./etc/auth/ -n server2 -c example.splunk.com -p

* Create certificate server2.pem signed by the root CA
* Store the server2.pem key file locally with your client/server application
* Enter a secret pass phrase when requested
* The pass phrase is used to access server2.pem in your application
* Enter the application's host name as the Common Name when requested
* Enter the root CA pass phrase (Getting CA Private Key) to sign the key file
* The key file will expire after one year or sooner when the root CA expires
Generating a 1024 bit RSA private key
...........................++++++
....................++++++
writing new private key to 'server2.pemkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) []:SanFrancisco
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Splunk Inc.
Organizational Unit Name (eg, section) []:Security
Common Name (eg, YOUR name) []:example.splunk.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Signature ok
subject=/C=US/ST=CA/L=SanFrancisco/O=Splunk Inc./OU=Security/CN=example.splunk.com
Getting CA Private Key
subject= /C=US/ST=CA/L=SanFrancisco/O=Splunk Inc./OU=Security/CN=example.splunk.com
issuer= /C=US/ST=CA/L=SanFrancisco/O=SplunkInc/CN=SplunkCA/O=SplunkUser
notBefore=Apr 22 17:20:31 2010 GMT
notAfter=Apr 21 17:20:31 2013 GMT

Generate a new signed certificate and private key pair on Windows

On Windows run genSignedServercert.py.

genSignedServer.py Example

C:\Program Files\Splunk\bin>splunk cmd python "c:\Program Files\splunk\bin\gensignedservercert.py" -d "c:\Program Files\Splunk\etc\auth" -n server2 -c win2008.splunk.com -p
* Create certificate server2.pem signed by the root CA
* Store the server2.pem key file locally with your client/server application
* Enter a secret pass phrase when requested
* The pass phrase is used to access server2.pem in your application
* Enter the application's host name as the Common Name when requested
* Enter the root CA pass phrase (Getting CA Private Key) to sign the key file
* The key file will expire after one year or sooner when the root CA expires
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.................++++++
......................................................++++++
writing new private key to 'server2key.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Verify failure
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Splunk, Inc.
Organizational Unit Name (eg, section) []:Splunk Customer Support
Common Name (eg, YOUR name) []:Splunk Support
Email Address []:support@splunk.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:<password>
An optional company name []:
Loading 'screen' into random state - done
Signature ok
subject=/C=US/ST=CA/L=San Francisco/O=Splunk, Inc./OU=support/CN=splunksupport/emailAd
dress=support@splunk.com
Getting CA Private Key
subject= /C=US/ST=CA/L=San Francisco/O=Splunk, Inc./OU=support/CN=splunksupport/emailA
ddress=support@splunk.com
issuer= /C=US/ST=CA/L=San Francisco/O=Splunk/CN=SplunkCommonCA/emailAddress=supp
ort@splunk.com
notBefore=Jun 14 19:28:27 2010 GMT
notAfter=Jun 13 19:28:27 2013 GMT

Generate a CSR (Certificate Signing Request)

If your organization requires that your Splunk deployment use a certificate signed by an external CA or you otherwise wish to use certificates signed by a root certificate other than the default Splunk authority, you can use the following procedure to generate the CSR to send to the CA:

openssl req -new -key [certificate name].pem -out [certificate name].csr

You are prompted for the following X.509 attributes of the certificate:

• Country Name: Use the two-letter code without punctuation for country, for example: US or GB.
• State or Province: Spell out the state completely; do not abbreviate the state or province name, for example: California
• Locality or City: The Locality is the city or town name, for example: Oakland. Do not abbreviate. For example: Los Angeles, not LA, Saint Louis, not St. Louis.
• Company: If your company or department contains an &, @, or any other non-alphanumeric symbol that requires you to use the shift key, you must spell out the symbol or omit it. For example, Fflanda & Rhallen Corporation would be Fflanda Rhallen Corporation or Fflanda and Rhallen Corporation.
• Organizational Unit: This field is optional; but you can specify it to help identify certificates registered to an organization. The Organizational Unit (OU) field is the name of the department or organization unit making the request. To skip the OU field, press Enter.
• Common Name: The Common Name is the Host + Domain Name, for example www.company.com or company.com. This must match the host name of the server where you intend to deploy the certificate exactly.

This creates a private key ([certificate name].key), which is stored locally on your server, and a CSR ([certificate name].csr), which contains the public key associated with the private key. You can then use this information to request a signed certificate from an external CA.

To copy and paste the information into your CA's enrollment form, open the .csr file in a text editor and save it as a .txt file.

Note: Do not use Microsoft Word; it can insert extra hidden characters that alter the contents of the CSR.

Generate a CSR (Certificate Signing Request) on Windows

This is very similar to the method described above, but it requires an extra step to set the ENV variable OPENSSL_CONF -

• Open up a Command Prompt window and navigate to $SPLUNK_HOME\bin
• Set the OPENSSL_CONF ENV variable - C:\Program Files\Splunk\bin>set OPENSSL_CONF=C:\Program Files\Splunk\openssl.cnf
• Verify the variable has been set correctly - >echo %OPENSSL_CONF%
• Run the command to generate the CSR - >openssl.exe req -new -key "C:\Program Files\Splunk\etc\auth\server.pem" -out server.csr -passin pass:password
• As above, you are then prompted for the following X.509 attributes of the certificate.

• Was this topic useful?
• Post a comment