Splunk® Enterprise

Securing Splunk Enterprise

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Configure Splunk forwarding to use your own certificates

This topic describes how to send data from your forwarders to your indexers using your own certificates. These certificates can be self-signed, or signed by a third party. This topic describes the following steps:

  • Configure the indexer(s) to use a new signed certificate, as described in this topic.
  • Configure the forwarder(s) to use a new signed certificate, as described in this topic.

Before you begin, you must procure and prepare your certificates. Make sure your certificates are PEM files in x509 format and that your key is in RSA format. If you need help, we've provided a few simple examples to help you create and prepare your own certificates. See About securing data from forwarders and About securing inter-Splunk communication for more information.

You can also create multiple certificates (signed by the same CA ) with different common names and distribute those to your indexers for added security. When given the CA's public key, the forwarder trusts the CA and verifies the certificate of the CA and matches the sslCommonNameToCheck OR sslAltNameToCheck

Configure your indexer to use your certificates

1. Copy your server certificate and CA public certificate into an accessible folder on the indexer(s) you intend to configure. For example: $SPLUNK_HOME/etc/auth/mycerts/

Warning: If you configure inputs.conf or outputs.conf in an app directory, the password is NOT encrypted and the clear-text value remains in the file. For this reason, you may prefer to create different certificates (signed by the same root CA) to use when configuring SSL in app directories.

2. Configure inputs.conf on the indexer(s) to use the new server certificate. In $SPLUNK_HOME/etc/system/local/inputs.conf (or in the appropriate directory of any app you are using to distribute your forwarding configuration), stanzas:

[splunktcp-ssl:9997]

disabled=0

[SSL]

serverCert = Absolute path to the certificate. The default certificate can be found at 
$SPLUNK_HOME/etc/auth/.

Password = certificate password

rootCA = <path> Full path to the root CA (Certificate Authority) certificate store.

requireClientCert = Set to true if you want your indexer to require authentication from
the client (which in this case is the forwarder).

sslVersions = (Optional) String of accepted password ssl versions. Defaults to recommended 
setting of "*,-ssl2", which is anything newer than SSLv2.

cipherSuite = (Optional) Cipher suite string. If not set, the default cipher string is used.

ecdhCurves = <comma separated list of ec curves> ECDH curves to use for ECDH key negotiation, the curves should be specified in order of preference.

sslCommonNameToCheck = (Optional) <commonName1>, <commonName2>, ... When 
populated, Splunk software checks the common name of the client's certificate against 
this list of names. If there is no match the Splunk instance is not authenticated. 
The requireClientCert attribute must be set to true to use this attribute.

sslAltNameToCheck = (Optional) <alternateName1>, <alternateName2>, ... If provided, 
Splunk software checks the alternate name of the client certificate against this list of 
names. If there is no match the Splunk instance is not authenticated. requireClientCert 
attribute must be set to true to use this attribute.

Note that when you edit the file in $SPLUNK_HOME/etc/system/local/inputs.conf, Splunk software encrypts the password and overwrites the clear-text server certificate password that you provided when you restarted Splunk Enterprise.

3. Restart splunkd.

# $SPLUNK_HOME/bin/splunk restart splunkd

Configure your forwarders to use your certificates

1. Generate a new certificate (ie. client.pem) and copy the new certificate and the CA public certificate myCACertificate.pem into an accessible folder on the forwarders you plan to configure. For this example, we are placing them in $SPLUNK_HOME/etc/auth/mycerts/.

Warning: If you configure inputs.conf or outputs.conf in an app directory, the password is NOT encrypted and the clear-text value remains in the file. For this reason, you may prefer to create different certificates (signed by the same root CA) to use when configuring SSL in app directories.

2. Define the [SSL] stanza in $SPLUNK_HOME/etc/system/local/outputs.conf (or in the appropriate directory of any app you are using to distribute your forwarding configuration):

[tcpout:group1]

server=10.1.1.197:9997

disabled = 0

[tcpout:splunkssl]

sslPassword = The password for the CAcert

sslCertPath = <path>This is the path to the client certificate. If specified, this connection must use SSL.

sslCipher = <string> If set, Splunk uses the specified cipher string for the input processors. Otherwise, the default cipher string is used.

ecdhCurves = <comma separated list of ec curves> A list of the ECDH curves to use for ECDH key negotiation. The curves should be specified in the order of preference.

sslRootCAPath = <path> Full path to the root CA (Certificate Authority) certificate store.

sslVerifyServerCert = must be enabled to use common name checking. Defaults 
to no common name checking. 

tlsHostname = [<string>] TLS extension that allows sending an identifier with SSL Client Hello

sslCommonNameToCheck = (Optional) <commonName1>, <commonName2>, ... 

sslAltNameToCheck = (Optional) <alternateName1>, <alternateName2>, ... 

useClientSSLCompression = <true> Disabling tls compression can cause bandwidth issues.

cipherSuite = (Optional) Splunk uses any specified cipher string for the input 
processors. If not set, Splunk uses the default cipher string provided by OpenSSL. <!--added in 6.4.3, need to brand from 6,4,2 to 6,4,3-->

sslVersions = <string> Comma-separated list of SSL versions to support. The available versions are "ssl3", "tls1.0", "tls1.1", and "tls1.2"

3. Restart splunkd.

# $SPLUNK_HOME/bin/splunk restart splunkd

To forward data to more than one indexer

To configure a forwarder to authenticate to multiple indexers, simply add each HOST:PORT address as a comma-separated list in the "server" attribute of the target group definition stanza.

The following outputs.conf example uses the same certificate for the indexer and the forwarders:

[tcpout]

[tcpout:group1]

server = 10.1.12.112:9997,10.1.12.111:9999

disabled = 0

[tcpout:splunkssl]

sslPassword = The password for the CAcert

sslCertPath = <path to the client certificate>, Populating this setting forces the connection to use SSL.

sslCipher = <string>, If this setting is populated SSL uses the specified cipher string for the input processors, otherwise, the default cipher string is used.,

sslRootCAPath = Full path to the root CA (Certificate Authority) certificate store. The <path> must refer to a PEM format file containing one or more root CA certificates concatenated together.

sslVerifyServerCert = [true|false]. When set to true, both the common name and the alternate name of the server are then checked for a match.

sslCommonNameToCheck = indexercn.example.org

useClientSSLCompression = <true> Defaults to the value set in the useClientSSLCompression 
attribute set in server.conf.

sslVerifyServerCert = true

sslVersions = <string>. Comma-separated list of SSL versions to support.

To forward data to multiple indexers using certificates with different common names

You can create and configure one server certificate for each indexer by configuring the forwarder's outputs.conf with one server-specific [SSLConfig] stanza per indexer.

If you have created one server certificate per indexer and you have set a unique sslCommonNameToCheck OR sslAltNameToCheck in each indexer certificate to be checked by the forwarders, you will need to configure one [tcpout-server://HOST:PORT] configuration stanza per indexer in outputs.conf. This is so that you can specify which name to check for which indexer.

Next steps

Next, you should check your connection to make sure your configuration works. See Validate your configuration for more information.

PREVIOUS
Configure Splunk forwarding to use the default certificate
  NEXT
Validate your configuration

This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5


Comments

Hi Mgonter,

In this version of Splunk, sslCertPath = <path> is the path to the client certificate.

Jworthington splunk, Splunker
May 18, 2018

Hi Strive,

sslRootPath was deprecated in 6.4 with instructions to instead set sslPassword in server.conf. However, you are right, sslPassword does not exist in this version of server.conf! I've filed a bug to straighten this out with dev. But for this version, the right thing to do is keep using sslRootPath (it's still a valid setting) and not modify server.conf at all.

For sslKeysfilePassword, that is fine for this use case. If you are simply configuring forwarders to indexers, that value does not affect anything. However, if you perform other configurations that use SSL to communicate with server.conf (for example http://docs.splunk.com/Documentation/Splunk/6.4.0/Security/Securingyourdeploymentserverandclients), you'll need to replace the default value "password" with your own secure password.

Jworthington splunk, Splunker
May 18, 2018

The footer of the document says that it is applicable to versions starting 6.4.0. Please note that in Splunk 6.4.5, there is nothing like that called sslPassword in server.conf.

Also, splunk by default adds sslKeysfilepassword in /opt/splunk/etc/system/local/server.conf. We are unable to delete that. The moment splunk is restarted, the entry is added.

Looks like this document needs a bit of restructuring.

Strive
April 23, 2018

I want to know if there are performance/resources impact on your forwarders/indexers, when you implement this. thanks

SAICronbuzon
March 7, 2018

Does clientCert needed to be added to the example of section 2 in Configure your forwarders to use Certificates?

Mgonter splunk, Splunker
December 5, 2017

I've updated the "useClientSSLCompression" attribute in the topic. thanks for the feedback!

Jworthington splunk, Splunker
August 22, 2017

Hi Jworthington,

useClientSSLCompression is a valid attribute in outputs.conf, but not in inputs.conf.
You may want to review this page again.

Yujietay
August 9, 2017

Followed these instructions and my splunk UF is still trying to use the default splunk cert, presumably because it is using paths from parameters in the default config file? There appears to be a LOT of SSL parameters in the default/server.conf yet according to this doc I only need to set sslRootCAPath in my server.conf?

It also advises to generate a new cert for the forwarder? I have a signed cert bundle from a 3rd party which I have installed on the indexer, how do I create a new cert?

Any help is appreciated.

Samhodgson
July 6, 2017

useClientSSLCompression is a valid attribute in Outputs.conf.

It defaults to whatever value is set in server.conf, so in most cases it does not need to be modified (though you may want to check and see what the setting default is).

This setting is used to improve performance, setting it to false will affect performance but will not cause an SSL connection to fail.

Jworthington splunk, Splunker
June 28, 2017

Hi all,

This post doesn't tell me the following:

1. Is the stanza incorrect? If so is there a correct one? Or should it just be deleted?
2. If left in will it cause the SSL config to fail?
3. If it shouldn't be there does it mean that compression is defaulted to true?

Thanks,

Tom

TWiseOne
May 25, 2017

Hi Yujietay,

Thanks for the feedback, I'll look into this attribute with one of our developers and updates the docs as needed.

Heya, Lander 99,

I agree, some more detail about how best to use each attribute would be really helpful. I'll slip it inot a future doc plan. Thanks for the tip!

Cheers,
Jen

Jworthington splunk, Splunker
February 27, 2017

In "Configure your indexer to use your certificates", there is an invalid stanza in [SSL]
useClientSSLCompression = true

Yujietay
February 21, 2017

Please explain the configurable portions of these conf files in more detail.

Landen99
October 14, 2016

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters