Splunk® IT Service Intelligence

Install and Upgrade Manual

Install ITSI in a FIPS enabled environment

IT Service Intelligence can be deployed in a Federal Information Processing Standard (FIPS) compliant mode. Splunk Enterprise and the universal forwarder use an embedded cryptographic FIPS module on various operating systems.

Security considerations for turning on FIPS mode

When you turn on FIPS mode, note the following:

  • Do not consider turning on FIPS mode on Splunk Enterprise as the only security enhancement. FIPS mode is one of several strategies you can employ to improve security for Splunk software.
  • You must turn on FIPS mode before you start Splunk Enterprise the first time. FIPS mode is active only when you activate it on a machine that runs a FIPS-compliant operating system kernel that has FIPS mode turned on. If you run Splunk Enterprise on a Linux machine that that is already in FIPS mode, Splunk Enterprise automatically turns on FIPS mode.
  • Turning on FIPS mode can potentially reduce Splunk Enterprise performance.
  • The FIPS module turns off the use of some cryptographic algorithms in Python that Splunk uses to run apps (for example, Message Digest 5 and Rivest Cipher 4).
  • Any Splunk apps that you want to run on a FIPS environment must be certified to run in FIPS mode and cannot have dependencies on algorithms like MD5 or RC4.

Enable FIPS mode on operating system

In ITSI, the Rules Engine and Metrics Anomaly Detection have an external Java process component. In order to meet security requirements, activate FIPS on both the operating system as well as on your Splunk platform. To activate FIPS for your OS/kernel, please refer to the official documentation provided by your operating system vendor.

Compatibility Matrix

If you need to adhere to the FIPS standard, you must prepare your environment for FIPS compliance before deploying ITSI.

Java Build CentOS 7 CentOS 8 Windows Server 2019 Windows Server 2022
OracleJDK 8 ✔️ ✔️ ✔️ ✔️
OracleJDK 11 ✔️ ✔️ ✔️ ✔️
OpenJDK 8 ✔️ ✔️ ✔️ ✔️
OpenJKD 11 ✔️ ✔️ ✔️ ✔️

OpenJDK builds shipped by default with CentOS 8 (including RedHat) don't work in a FIPS environment due to compatibility issues with FIPS. We recommend using OracleJDK for CentOS 8, or use the OpenJDK build available from Eclipse Adoptium platform or the Java JDK Archive. For more information, see Download Oracle JDK.

Download Oracle JDK

OracleJDK builds are available on the official Oracle website. Install the build and set the system variable JAVA_HOME to point to the build installation directory. Note: The link to the Oracle site is a general download link. From the download page, locate one of the OracleJDK supported versions.

Download OpenJDK

OpenJDK for CentOS 7

  • OpenJDK 8 for CentOS 7 can be installed using the command:
sudo yum install java-1.8.0-openjdk
  • OpenJDK 11 for CentOS 7 can be installed using the command:
sudo yum install java-11-openjdk


OpenJDK for CentOS 8

OpenJDK for Windows

Turn on FIPS mode in Splunk Enterprise

After FIPS is activated on the operating system level, turn on FIPS mode in Splunk upon initial Splunk software installation. If you install the software without FIPS mode turned on, you cannot turn on FIPS during an upgrade later, and must either reinstall, or install a new version. Follow the steps in Secure Splunk Enterprise with FIPS to turn on FIPS mode in Splunk Enterprise.

Verify that Rules Engine is running

  1. Log in to Splunk Enterprise.
  2. Install ITSI. For more information, see:
  3. Navigate to ITSI > Dashboards > Event Analytics Monitoring.
  4. Check that Number of Rules Engine Processes value is 1.

Troubleshooting

Rules Engine processes are 0

Check if Java Version is detected in the dashboard Event Analytics Monitoring. If no Java Version is detected then the system variable JAVA_HOME might have been set incorrectly. Set the system variable to the path which points to the desired Java build directory and then restart the realtime search itsi_event_grouping by disabling it and then enabling it again.

Last modified on 23 April, 2024
Install Splunk IT Service Intelligence on a single instance   Where to install IT Service Intelligence in a distributed environment

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1, 4.18.0, 4.18.1, 4.19.0, 4.19.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters