Splunk® Enterprise

Admin Manual

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Use SSL (HTTPS) for secure access to Splunk Web

This topic explains how to enable SSL (HTTPS) for browser to Splunk Web communication. Splunk can listen on HTTPS or HTTP, but not both.

You can also use SSL for intra-Splunk communication over the management port and forwarder to receiver communication.

Enable HTTPS

You can configure SSL through Splunk Manager or web.conf.

Use Splunk Manager

To enable HTTPS through Splunk Manager:

1. Navigate to Manager > System settings > General Settings.

2. Go to the Enable SSL (HTTPS) in Splunk Web setting and select the Yes radio button.

3. Restart Splunk Web, as described in "Start Splunk".

4. You must now prepend "https://" to the URL you use to access Splunk Web.

Use web.conf

You can enable HTTPS through the web.conf configuration file. Edit this file in $SPLUNK_HOME/etc/system/local/ or your own custom application directory in $SPLUNK_HOME/etc/apps/. For information on configuration files in general, see how configuration files work.

To enable HTTPS through web.conf:

1. Set the enableSplunkWebSSL attribute to true:

[settings]
httpport = <https port number>
enableSplunkWebSSL = true

2. Restart Splunk Web, as described in "Start Splunk".

3. You must now prepend "https://" to the URL you use to access Splunk Web.

Set the cipher list

You can set the cipher list for Splunk Web with the cipherSuite attribute in web.conf. If you don't set the list explicitly, Splunk Web uses the default cipher string provided by OpenSSL.

For example:

[settings]
httpport = 8123
mgmtHostPort = 127.0.0.1:8124
cipherSuite = ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:-MEDIUM:-LOW:+SSLv3:+TLSv1:-SSLv2:-EXP:-DES
enableSplunkWebSSL = true 

Change HTTPS certificates

You can change HTTPS certificates in web.conf. The certificates used for SSL between Splunk Web and the client browser are located in $SPLUNK_HOME/etc/auth/splunkweb.

Important: Splunk STRONGLY recommends that you DO NOT use the default Splunk Web certificate. Use of the default Splunk Web certificate will not result in confidential data transmission.

The certificates to use for Splunk Web HTTPS are specified in web.conf under the [settings] stanza:

[settings]
...
privKeyPath = etc/auth/splunkweb/privkey.pem
caCertPath = etc/auth/splunkweb/cert.pem

Once you've made your changes, you must restart Splunk Web, as described in "Start Splunk".

Note: After changing the Splunk Web certificate, users may receive certificate warnings or be prompted by their browser to accept the new certificate.

Important note about the caCertPath attribute

When you use the caCertPath attribute to specify a new default certificate, make sure that the certificate file you specify:

  • Contains at least a server SSL certificate and a certificate authority (CA) certificate.
  • Contains multiple certificates in the proper sequence:
    • The server's SSL certificate.
    • Any intermediate certificates, if required.
    • The root certificate, if required.
  • Uses absolute paths to certificate files, for best results. While you can use relative paths, those paths are relative to $SPLUNK_HOME, and you cannot change this setting.

The caCertPath attribute cannot point to a file that contains only a CA certificate, because with only a CA certificate, SSL cannot properly establish a secure connection. If you specify a certificate file that only contains a CA certificate, Splunk Web over HTTPS will not work.

For more information on how to set the caCertPath attribute, read about web.conf in the Admin Manual.

Examples

Use a third-party certificate for Splunk Web

1. Follow the instructions to generate a new certificate signing request (CSR) and receive a new certificate from your organization's root certificate authority located here. The specifics of the openssl command vary depending on your operating system:

  • On *nix, run:

openssl req -new -key $SPLUNK_HOME/etc/auth/splunkweb/privkey.pem -out $SPLUNK_HOME/etc/auth/splunkweb/newcert.csr

  • On Windows, run:

openssl.exe req -new -key $SPLUNK_HOME\etc\auth\splunkweb\privkey.pem -out $SPLUNK_HOME\etc\auth\splunkweb\newcert.csr

  • You can optionally generate or supply an alternative private key.

2. Copy the certificate received from your CA into $SPLUNK_HOME/etc/auth/splunkweb/newcert.pem.

3. Create or modify the following entry under the [settings] stanza in $SPLUNK_HOME/etc/system/local/web.conf:

caCertPath=etc/auth/splunkweb/newcert.pem

4. Restart Splunk Web:

$SPLUNK_HOME/bin/splunk restart splunkweb

Use genWebCert.py to generate a new private key and create a new self-signed Splunk Web certificate

1. Follow the instructions for creating a new root certificate here.

2. Issue the following commands:

$ cd $SPLUNK_HOME
$ mv ./etc/auth/splunkweb/privkey.pem ./etc/auth/splunkweb/privkey.pem.old
$ mv ./etc/auth/splunkweb/cert.pem ./etc/auth/splunkweb/cert.pem.old
$ ./bin/splunk cmd python ./bin/genWebCert.py
 
Generating a 1024 bit RSA private key
.....++++++
..............++++++
writing new private key to 'privkeySecure.pem'
-----
Signature ok
subject=/CN=example.splunk.com/O=SplunkUser
Getting CA Private Key
writing RSA key

$ ./bin/splunk restart splunkweb

You can also use the above procedure to generate a new self-signed certificate if your self-signed certificate has expired.

Limitations

SSL key passphrases

Splunk Web does not currently support SSL key passphrases.

Firefox 3

If you are using Firefox 3, enabling SSL for a Splunk deployment may result in an "invalid security exception" being displayed in the browser. Refer to this workaround documentation for more information.

For more information

For detailed procedures that illustrate various scenarios for using SSL with Splunk Web, see

PREVIOUS
What you can secure with Splunk
  NEXT
Use SSL for secure intra-Splunk communication

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters