Splunk® Data Stream Processor

Install and administer the Data Stream Processor

On April 3, 2023, Splunk Data Stream Processor will reach its end of sale, and will reach its end of life on February 28, 2025. If you are an existing DSP customer, please reach out to your account team for more information.
This documentation does not apply to the most recent version of Splunk® Data Stream Processor. For documentation on the most recent version, go to the latest release.

Secure the DSP cluster with SSL/TLS certificates

DSP exposes four external network ports: 30000 for the DSP UI, 30002 for Authentication and Login, 31000 for the API Services, and 30001 for the Forwarders Service. By default, DSP uses self-signed certificates to connect to these services. For security reasons, you may want to use your own SSL/TLS certificate instead. To configure SSL/TLS certificates for these DSP services, set the following properties. The following instructions assume that you already have a SSL/TLS key and certificate to use.

Prerequisites

  • A valid SSL/TLS certificate and key. The certificate's CN (common name) or SAN (Subject Alt Name) must include the "DSP_HOST" name specified during installation. You can verify this name by running ./get-config K8S_DSP_API_DOMAIN in the working directory.
  • You have system administrator (root) permissions. If you do not have root permissions, you can use the sudo command.

You can use one SSL/TLS certificate for the DSP UI services (DSP UI, Authentication, API Services) and a separate SSL/TLS certificate for the Forwarders Service, but these instructions assume that you want to use the same certificate for all services.

Steps

  1. DSP expects certificates to be base64-encoded. From a node in your deployment cluster, type the following. 
    base64 -w0 < tls.pem > tls.pem.b64
base64 -w0 < tls.key > tls.key.b64
  2. Press enter, and then type the following to replace the DSP UI - 30000, Auth - 30002, and API - 31000 certs. 
    ./set-secret K8S_NGINX_CERTIFICATE_PEM_ENCODED $(< tls.pem.b64)
./set-secret K8S_NGINX_CERTIFICATE_KEY_ENCODED $(< tls.key.b64)
  3. (Optional) You can also replace the DSP Forwarders Service - 30001 cert. 
    ./set-secret K8S_NILE_S2S_CERTIFICATE_ENCODED $( < tls.pem.b64)
./set-secret K8S_NILE_S2S_PRIVATE_KEY_ENCODED $( < tls.key.b64)
  4. After setting the configurations, deploy your changes. 
    ./deploy
  5. After deploying, you'll need to manually restart the DSP pods for your new certificate to be used. 
    kubectl rollout restart deployment -n dsp uaa-reverse-proxy dsp-reverse-proxy gateway-reverse-proxy ingest-s2s
  6. (Optional) Confirm that these pods have been restarted and rolled out successfully. 
    for deployment in uaa-reverse-proxy dsp-reverse-proxy gateway-reverse-proxy ingest-s2s; do kubectl -n dsp rollout status deployment $deployment; done

deployment "uaa-reverse-proxy" successfully rolled out
deployment "dsp-reverse-proxy" successfully rolled out
deployment "gateway-reverse-proxy" successfully rolled out
deployment "ingest-s2s" successfully rolled out
  7. Verify that your certificates are being used by navigating to the DSP UI in your browser and confirming that the new certificates are being used.
Last modified on 15 October, 2020
Uninstall the Splunk Data Stream Processor   Configure the Data Stream Processor to send data to a self-signed Splunk instance

This documentation applies to the following versions of Splunk® Data Stream Processor: 1.1.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters