Splunk® Enterprise

Securing Splunk Enterprise

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Secure Splunk Web with your own certificate

This example assumes that you have already generated self-signed certificates or purchased third-party certificates. If you have not done this and are unsure how to proceed, we've provided some simple examples:

Note: Splunk Web does not currently support password-protected private keys. You should remove the password from your key before configuring Splunk Web for the certificate.

Before you begin: Copy your certificates to a new folder

Copy the server certificate to $SPLUNK_HOME/etc/auth/splunkweb or to your own certificate repository in $SPLUNK_HOME/etc/auth.

In the following example our web certificate is called mySplunkWebCertificate.pem and our private key is called mySplunkWebPrivateKey.key:

*nix:

# cp $SPLUNK_HOME/etc/auth/mycerts/mySplunkWebCertificate.pem $SPLUNK_HOME/etc/auth/mycerts/mySplunkWebPrivateKey.key $SPLUNK_HOME/etc/auth/splunkweb

Windows:

copy $SPLUNK_HOME\etc\auth\mycerts\mySplunkWebCertificate.pem $SPLUNK_HOME\etc\auth\splunkweb\

copy $SPLUNK_HOME\etc\auth\mycerts\mySplunkWebPrivateKey.key $SPLUNK_HOME\etc\auth\splunkweb\

Note: Do not overwrite or delete the existing certificates located in $SPLUNK_HOME/etc/auth/splunkweb/. The certificates at this location are automatically generated upon startup, meaning that any changes you make will be overwritten at startup. Instead, in the next steps, we will rewrite the relevant configuration file to point to your new certificate location.

Configure Splunk Web to use the key and certificate files

Note: Splunk Web does not support passwords for private keys, so you must remove the password from the key before using the key to secure Splunk Web.

1. In $SPLUNK_HOME/etc/system/local/web.conf (or any other applicable location, if you are using a deployment server), make the following changes to the [settings] stanza:

The following is an example of an edited settings stanza:

[settings]
enableSplunkWebSSL = true
privKeyPath = </home/user/certs/myprivatekey.pem> Absolute paths may be used. non-absolute paths are relative to $SPLUNK_HOME
caCertPath = </home/user/certs/mycacert.pem. Absolute paths may be used. non-absolute paths are relative to $SPLUNK_HOME

2. Restart Splunk Web:

# $SPLUNK_HOME/bin/splunk restart splunkweb
PREVIOUS
Turn on encryption (https) using web.conf
  NEXT
Troubleshoot your Splunk Web authentication

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9


Comments

Hi Blaine,

For 6.5 it has changed:

caCertPath = <path>
* DEPRECATED; use 'serverCert' instead.

I mistakenly understood the change also applied to 6.4.3 as well. Will update accordingly, thanks for the head's up.

Jworthington splunk, Splunker
October 4, 2016

This is still out of date and doesn't reflect the web.conf spec - serverCert should be caCertPath instead.

LiamStevenson
September 30, 2016

Thanks BlaneT,

I've updated this topic to match web.conf.

Cheers,
Jen

Jworthington splunk, Splunker
June 14, 2016

The serverCert attribute was deprecated at somepoint and replaced by caCertPath. This caused an invalid stanza setting error and preventing https from functioning. The web.conf doc is correct, but that information should be updated here as well.

BlaineT
June 13, 2016

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters