Use SSL (HTTPS) for secure access to Splunk Web
This topic explains how to enable SSL (HTTPS) for browser to Splunk Web communication. Splunk can listen on HTTPS or HTTP, but not both.
You can also use SSL for intra-Splunk communication over the management port and forwarder to receiver communication.
You can configure SSL through Splunk Manager or web.conf.
Use Splunk Manager
To enable HTTPS through Splunk Manager:
1. Navigate to Manager > System settings > General Settings.
2. Go to the Enable SSL (HTTPS) in Splunk Web setting and select the Yes radio button.
3. Restart Splunk Web, as described in "Start Splunk".
4. You must now prepend "https://" to the URL you use to access Splunk Web.
You can enable HTTPS through the
web.conf configuration file. Edit this file in
$SPLUNK_HOME/etc/system/local/ or your own custom application directory in
$SPLUNK_HOME/etc/apps/. For information on configuration files in general, see how configuration files work.
To enable HTTPS through
1. Set the
enableSplunkWebSSL attribute to
[settings] httpport = <https port number> enableSplunkWebSSL = true
2. Restart Splunk Web, as described in "Start Splunk".
3. You must now prepend "https://" to the URL you use to access Splunk Web.
Set the cipher list
You can set the cipher list for Splunk Web with the
cipherSuite attribute in
web.conf. If you don't set the list explicitly, Splunk Web uses the default cipher string provided by OpenSSL.
[settings] httpport = 8123 mgmtHostPort = 127.0.0.1:8124 cipherSuite = ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:-MEDIUM:-LOW:+SSLv3:+TLSv1:-SSLv2:-EXP:-DES enableSplunkWebSSL = true
Change HTTPS certificates
You can change HTTPS certificates in
The certificates used for SSL between Splunk Web and the client browser are located in
Important: Splunk STRONGLY recommends that you DO NOT use the default Splunk Web certificate. Use of the default Splunk Web certificate will not result in confidential data transmission.
The certificates to use for Splunk Web HTTPS are specified in web.conf under the
[settings] ... privKeyPath = etc/auth/splunkweb/privkey.pem caCertPath = etc/auth/splunkweb/cert.pem
Once you've made your changes, you must restart Splunk Web, as described in "Start Splunk".
Note: After changing the Splunk Web certificate, users may receive certificate warnings or be prompted by their browser to accept the new certificate.
Important note about the
When you use the
caCertPath attribute to specify a new default certificate, make sure that the certificate file you specify:
- Contains at least a server SSL certificate and a certificate authority (CA) certificate.
- Contains multiple certificates in the proper sequence:
- The server's SSL certificate.
- Any intermediate certificates, if required.
- The root certificate, if required.
- Uses absolute paths to certificate files, for best results. While you can use relative paths, those paths are relative to
$SPLUNK_HOME, and you cannot change this setting.
caCertPath attribute cannot point to a file that contains only a CA certificate, because with only a CA certificate, SSL cannot properly establish a secure connection. If you specify a certificate file that only contains a CA certificate, Splunk Web over HTTPS will not work.
For more information on how to set the
caCertPath attribute, read about web.conf in the Admin Manual.
Use a third-party certificate for Splunk Web
1. Follow the instructions to generate a new certificate signing request (CSR) and receive a new certificate from your organization's root certificate authority located here. The specifics of the
openssl command vary depending on your operating system:
- On *nix, run:
openssl req -new -key $SPLUNK_HOME/etc/auth/splunkweb/privkey.pem -out $SPLUNK_HOME/etc/auth/splunkweb/newcert.csr
- On Windows, run:
openssl.exe req -new -key $SPLUNK_HOME\etc\auth\splunkweb\privkey.pem -out $SPLUNK_HOME\etc\auth\splunkweb\newcert.csr
- You can optionally generate or supply an alternative private key.
2. Copy the certificate received from your CA into
3. Create or modify the following entry under the
[settings] stanza in
4. Restart Splunk Web:
$SPLUNK_HOME/bin/splunk restart splunkweb
Use genWebCert.py to generate a new private key and create a new self-signed Splunk Web certificate
1. Follow the instructions for creating a new root certificate here.
2. Issue the following commands:
$ cd $SPLUNK_HOME $ mv ./etc/auth/splunkweb/privkey.pem ./etc/auth/splunkweb/privkey.pem.old $ mv ./etc/auth/splunkweb/cert.pem ./etc/auth/splunkweb/cert.pem.old $ ./bin/splunk cmd python ./bin/genWebCert.py Generating a 1024 bit RSA private key .....++++++ ..............++++++ writing new private key to 'privkeySecure.pem' ----- Signature ok subject=/CN=example.splunk.com/O=SplunkUser Getting CA Private Key writing RSA key $ ./bin/splunk restart splunkweb
You can also use the above procedure to generate a new self-signed certificate if your self-signed certificate has expired.
SSL key passphrases
Splunk Web does not currently support SSL key passphrases.
If you are using Firefox 3, enabling SSL for a Splunk deployment may result in an "invalid security exception" being displayed in the browser. Refer to this workaround documentation for more information.
For more information
For detailed procedures that illustrate various scenarios for using SSL with Splunk Web, see
What you can secure with Splunk
Use SSL for secure intra-Splunk communication
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7