On October 30, 2022, all 1.2.x versions of the Splunk Data Stream Processor will reach its end of support date. See the Splunk Software Support Policy for details.
Secure the DSP cluster with SSL/TLS certificates
DSP exposes four external network ports: 30000 for the DSP UI, 30002 for Authentication and Login, 31000 for the API Services, and 30001 for the Forwarders Service. By default, DSP uses self-signed certificates to connect to these services. For security reasons, you may want to use your own SSL/TLS certificate instead. To configure SSL/TLS certificates for these DSP services, set the following properties. The following instructions assume that you already have an SSL/TLS key and certificate to use. See Generate a client certificate for the DSP Forwarders service for more information about generating an SSL/TLS certificate for DSP.
Prerequisites
- A valid SSL/TLS certificate and key.
- The certificate's CN (common name) or SAN (Subject Alt Name) must include the "DSP_HOST" name specified during installation. You can verify this name by running
./get-config K8S_DSP_API_DOMAIN
in the working directory. - The key must be unencrypted. DSP does not support keys that are encrypted with a pass phrase.
- The certificate's CN (common name) or SAN (Subject Alt Name) must include the "DSP_HOST" name specified during installation. You can verify this name by running
- You have system administrator (root) permissions. If you do not have root permissions, you can use the
sudo
command.
You can use one SSL/TLS certificate for the DSP UI services (DSP UI, Authentication, API Services) and a separate SSL/TLS certificate for the Forwarders Service, but these instructions assume that you want to use the same certificate for all services.
Steps
- DSP expects certificates to be base64-encoded. From a node in your deployment cluster, type the following.
base64 -w0 < tls.pem > tls.pem.b64 base64 -w0 < tls.key > tls.key.b64
- Press enter, and then type the following to replace the DSP UI - 30000, Auth - 30002, and API - 31000 certs.
./set-secret K8S_NGINX_CERTIFICATE_PEM_ENCODED $(< tls.pem.b64) ./set-secret K8S_NGINX_CERTIFICATE_KEY_ENCODED $(< tls.key.b64)
- (Optional) You can also replace the DSP Forwarders Service - 30001 cert.
./set-secret K8S_NILE_S2S_CERTIFICATE_ENCODED $( < tls.pem.b64) ./set-secret K8S_NILE_S2S_PRIVATE_KEY_ENCODED $( < tls.key.b64)
- After setting the configurations, deploy your changes.
./deploy
Verify that your certificates are being used by navigating to the DSP UI in your browser and confirming that the new certificates are being used.
Cipher suites
The DSP Forwarders Service supports the following cipher suites.
TLS 1.2 cipher suites
TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_RC4_128_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS 1.3 cipher suites
TLS_AES_128_GCM_SHA256 TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256
Uninstall the Splunk Data Stream Processor | Configure the Data Stream Processor to send data to a self-signed Splunk instance |
This documentation applies to the following versions of Splunk® Data Stream Processor: 1.2.0, 1.2.1-patch02, 1.2.1, 1.2.2-patch02, 1.2.4, 1.2.5, 1.3.0, 1.3.1
Feedback submitted, thanks!