Use SSL (HTTPS) for secure access to Splunk Web
Contents
- Enable HTTPS
- Use Splunk Manager
- Use web.conf
- Set the cipher list
- Change HTTPS certificates
- Examples
- Use a third-party certificate for Splunk Web
- Use genWebCert.py to generate a new private key and create a new self-signed Splunk Web certificate
- Limitations
- SSL key passphrases
- Firefox 3
- For more information
Use SSL (HTTPS) for secure access to Splunk Web
This topic explains how to enable SSL (HTTPS) for browser to Splunk Web communication. Splunk can listen on HTTPS or HTTP, but not both.
You can also use SSL for intra-Splunk communication over the management port and forwarder to receiver communication.
Enable HTTPS
You can configure SSL through Splunk Manager or web.conf.
Use Splunk Manager
To enable HTTPS through Splunk Manager:
1. Navigate to Manager > System settings > General Settings.
2. Go to the Enable SSL (HTTPS) in Splunk Web setting and select the Yes radio button.
3. Restart Splunk Web, as described in "Start Splunk".
4. You must now prepend "https://" to the URL you use to access Splunk Web.
Use web.conf
You can enable HTTPS through the web.conf configuration file. Edit this file in $SPLUNK_HOME/etc/system/local/ or your own custom application directory in $SPLUNK_HOME/etc/apps/. For information on configuration files in general, see how configuration files work.
To enable HTTPS through web.conf:
1. Set the enableSplunkWebSSL attribute to true:
[settings] httpport = <https port number> enableSplunkWebSSL = true
2. Restart Splunk Web, as described in "Start Splunk".
3. You must now prepend "https://" to the URL you use to access Splunk Web.
Set the cipher list
You can set the cipher list for Splunk Web with the cipherSuite attribute in web.conf. If you don't set the list explicitly, Splunk Web uses the default cipher string provided by OpenSSL.
For example:
[settings] httpport = 8123 mgmtHostPort = 127.0.0.1:8124 cipherSuite = ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:-MEDIUM:-LOW:+SSLv3:+TLSv1:-SSLv2:-EXP:-DES enableSplunkWebSSL = true
Change HTTPS certificates
You can change HTTPS certificates in web.conf.
The certificates used for SSL between Splunk Web and the client browser are located in $SPLUNK_HOME/etc/auth/splunkweb.
Important: Splunk STRONGLY recommends that you DO NOT use the default Splunk Web certificate. Use of the default Splunk Web certificate will not result in confidential data transmission.
The certificates to use for Splunk Web HTTPS are specified in web.conf under the [settings] stanza:
[settings] ... privKeyPath = etc/auth/splunkweb/privkey.pem caCertPath = etc/auth/splunkweb/cert.pem
Once you've made your changes, you must restart Splunk Web, as described in "Start Splunk".
Note: After changing the Splunk Web certificate, users may receive certificate warnings or be prompted by their browser to accept the new certificate.
[include bullets for the new topics on changing certificates]
Examples
Use a third-party certificate for Splunk Web
1. Follow the instructions to generate a new certificate signing request (CSR) and receive a new certificate from your organization's root certificate authority located here. The specifics of the openssl command vary depending on your operating system:
- On *nix, run:
openssl req -new -key $SPLUNK_HOME/etc/auth/splunkweb/privkey.pem -out $SPLUNK_HOME/etc/auth/splunkweb/newcert.csr
- On Windows, run:
openssl.exe req -new -key $SPLUNK_HOME\etc\auth\splunkweb\privkey.pem -out $SPLUNK_HOME\etc\auth\splunkweb\newcert.csr
- You can optionally generate or supply an alternative private key.
2. Copy the certificate received from your CA into $SPLUNK_HOME/etc/auth/splunkweb/newcert.pem.
3. Create or modify the following entry under the [settings] stanza in $SPLUNK_HOME/etc/system/local/web.conf:
caCertPath=etc/auth/splunkweb/newcert.pem
4. Restart Splunk Web:
$SPLUNK_HOME/bin/splunk restart splunkweb
Use genWebCert.py to generate a new private key and create a new self-signed Splunk Web certificate
1. Follow the instructions for creating a new root certificate here.
2. Issue the following commands:
$ cd $SPLUNK_HOME $ mv ./etc/auth/splunkweb/privkey.pem ./etc/auth/splunkweb/privkey.pem.old $ mv ./etc/auth/splunkweb/cert.pem ./etc/auth/splunkweb/cert.pem.old $ ./bin/splunk cmd python ./bin/genWebCert.py Generating a 1024 bit RSA private key .....++++++ ..............++++++ writing new private key to 'privkeySecure.pem' ----- Signature ok subject=/CN=example.splunk.com/O=SplunkUser Getting CA Private Key writing RSA key $ ./bin/splunk restart splunkweb
You can also use the above procedure to generate a new self-signed certificate if your self-signed certificate has expired.
Limitations
SSL key passphrases
Splunk Web does not currently support SSL key passphrases.
Firefox 3
If you are using Firefox 3, enabling SSL for a Splunk deployment may result in an "invalid security exception" being displayed in the browser. Refer to this workaround documentation for more information.
For more information
For detailed procedures that illustrate various scenarios for using SSL with Splunk Web, see
- Configuring SplunkWeb to use the default SSL certificates that ship with Splunk
- Configuring SplunkWeb to use an SSL certificate self-signed by a newly generated root certificate
- Configuring SplunkWeb to use an SSL certificate signed by a third party Certificate Authority
This documentation applies to the following versions of Splunk: 4.3 , 4.3.1 , 4.3.2 View the Article History for its revisions.