Splunk® Enterprise

Securing Splunk Enterprise

Download manual as PDF

Download topic as PDF

Secure Splunk Web with your own certificate

This example assumes that you have already generated self-signed certificates or purchased third-party certificates. If you have not done this and are unsure how to proceed, we've provided some simple examples:

Before you begin: make sure your certificate and key are available from your folder. In this example we are using $SPLUNK_HOME/etc/auth/mycerts/:

  • $SPLUNK_HOME/etc/auth/mycerts/mySplunkWebCertificate.pem
  • $SPLUNK_HOME/etc/auth/mycerts/mySplunkWebPrivateKey.key

Configure Splunk Web to use the key and certificate files

1. In $SPLUNK_HOME/etc/system/local/web.conf (or any other applicable location, if you are using a deployment server), make the following changes to the [settings] stanza:

The following is an example of an edited settings stanza:

[settings]
enableSplunkWebSSL = true
privKeyPath = </home/etc/auth/mycerts/mySplunkWebPrivateKey.key > 
Absolute paths may be used. non-absolute paths are relative to $SPLUNK_HOME

serverCert = </home/etc/auth/mycerts/mySplunkWebCertificate.pem > 
Absolute paths may be used. non-absolute paths are relative to $SPLUNK_HOME

2. Restart Splunk:

# $SPLUNK_HOME/bin/splunk restart splunk
PREVIOUS
Turn on encryption (https) using web.conf
  NEXT
Troubleshoot your Splunk Web authentication

This documentation applies to the following versions of Splunk® Enterprise: 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0


Comments

@Cpierce26: That's the default setting inside of $SPLUNK_HOME/etc/system/default/web.conf - so if the server does not come up again, there's maybe some other web.conf overwriting this default. In this case it's better to just remove this second setting to leave your configuration as clean as possible. Use "splunk btool web list --debug | grep httpport" to check where that overwriting takes place.

Rvany
July 20, 2018

Incomplete documentation. There are a few things missing here regarding the configuration of the web.conf file.

If you are swapping over from self signed certificates, and currently on the default ssl/port settings, keep in mind when you swap over to the new certificates a new line has to be added into the configuration.

That line is-

httpport = 8000 (you can also change this another port if you want.)

Otherwise, you'll get stuck when you restart splunk at "Attempting to establish connection at 127.0.0.1 at port 8000."

Just a heads up for someone who dug through their .conf webinars to find an answer.

Cpierce26
March 13, 2018

The first step, copying the certs confuses me. It says that I should copy the certs to my own repo, /etc/auth/mycerts, which makes sense since web.conf references that path, but the code examples copies the .pem-files to /splunkweb from /mycerts. Why is this needed when not used in the config on web.conf?

Rune.hellem
February 5, 2018

If you get an error about 'Invalid key in stanza [settings] ... serverCert', try replacing 'serverCert' with 'caCertPath', which is what this config key was called in earlier versions of Splunk.

Alexchapman
October 16, 2017

After making these changes when I restart splunk I get the message:
Invalid key in stanza [settings] in /opt/splunk/etc/system/local/web.conf, line 4: serverCert (value: etc/auth/splunkweb/server.pem).

Erictreesh
May 2, 2017

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters