Related Answers
Download topic as PDF
Secure Splunk Web with your own certificate
This example assumes that you have already generated self-signed certificates or purchased third-party certificates. If you have not done this and are unsure how to proceed, we've provided some simple examples:
Note: Splunk Web does not currently support password-protected private keys. You should remove the password from your key before configuring Splunk Web for the certificate.
Before you begin: Copy your certificates to a new folder
Copy the server certificate to $SPLUNK_HOME/etc/auth/splunkweb or to your own certificate repository in $SPLUNK_HOME/etc/auth.
In the following example our web certificate is called mySplunkWebCertificate.pem and our private key is called mySplunkWebPrivateKey.key:
*nix:
Windows:
copy $SPLUNK_HOME\etc\auth\mycerts\mySplunkWebCertificate.pem $SPLUNK_HOME\etc\auth\splunkweb\ copy $SPLUNK_HOME\etc\auth\mycerts\mySplunkWebPrivateKey.key $SPLUNK_HOME\etc\auth\splunkweb\
Note: Do not overwrite or delete the existing certificates located in $SPLUNK_HOME/etc/auth/splunkweb/. The certificates at this location are automatically generated upon startup, meaning that any changes you make will be overwritten at startup. Instead, in the next steps, we will rewrite the relevant configuration file to point to your new certificate location.
Configure Splunk Web to use the key and certificate files
Note: Splunk Web does not support passwords for private keys, so you must remove the password from the key before using the key to secure Splunk Web.
1. In $SPLUNK_HOME/etc/system/local/web.conf (or any other applicable location, if you are using a deployment server), make the following changes to the [settings] stanza:
The following is an example of an edited settings stanza:
[settings] enableSplunkWebSSL = true privKeyPath = </home/user/certs/myprivatekey.pem> Absolute paths may be used. non-absolute paths are relative to $SPLUNK_HOME caCertPath = </home/user/certs/mycacert.pem. Absolute paths may be used. non-absolute paths are relative to $SPLUNK_HOME
2. Restart Splunk Web:
|
PREVIOUS Turn on encryption (https) using web.conf |
NEXT Troubleshoot your Splunk Web authentication |
This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11
Comments
This is still out of date and doesn't reflect the web.conf spec - serverCert should be caCertPath instead.
Thanks BlaneT,
I've updated this topic to match web.conf.
Cheers,
Jen
The serverCert attribute was deprecated at somepoint and replaced by caCertPath. This caused an invalid stanza setting error and preventing https from functioning. The web.conf doc is correct, but that information should be updated here as well.
Hi Blaine,
For 6.5 it has changed:
caCertPath = <path>
* DEPRECATED; use 'serverCert' instead.
I mistakenly understood the change also applied to 6.4.3 as well. Will update accordingly, thanks for the head's up.