Splunk® Enterprise

Securing Splunk Enterprise

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Secure Splunk Web with your own certificate

This example assumes that you have already generated self-signed certificates or purchased third-party certificates. If you have not done this and are unsure how to proceed, we've provided some simple examples:

Note: Splunk Web does not currently support password-protected private keys. You should remove the password from your key before configuring Splunk Web for the certificate.

Before you begin: Copy your certificates to a new folder

Copy the server certificate to $SPLUNK_HOME/etc/auth/splunkweb or to your own certificate repository in $SPLUNK_HOME/etc/auth.

In the following example our web certificate is called mySplunkWebCertificate.pem and our private key is called mySplunkWebPrivateKey.key:

*nix:

# cp $SPLUNK_HOME/etc/auth/mycerts/mySplunkWebCertificate.pem $SPLUNK_HOME/etc/auth/mycerts/mySplunkWebPrivateKey.key $SPLUNK_HOME/etc/auth/splunkweb

Windows: 

copy $SPLUNK_HOME\etc\auth\mycerts\mySplunkWebCertificate.pem $SPLUNK_HOME\etc\auth\splunkweb\

copy $SPLUNK_HOME\etc\auth\mycerts\mySplunkWebPrivateKey.key $SPLUNK_HOME\etc\auth\splunkweb\

Note: Do not overwrite or delete the existing certificates located in $SPLUNK_HOME/etc/auth/splunkweb/. The certificates at this location are automatically generated upon startup, meaning that any changes you make will be overwritten at startup. Instead, in the next steps, we will rewrite the relevant configuration file to point to your new certificate location.

Configure Splunk Web to use the key and certificate files

Note: Splunk Web does not support passwords for private keys, so you must remove the password from the key before using the key to secure Splunk Web.

1. In $SPLUNK_HOME/etc/system/local/web.conf (or any other applicable location, if you are using a deployment server), make the following changes to the [settings] stanza:

The following is an example of an edited settings stanza: 

[settings]
enableSplunkWebSSL = true
privKeyPath = </home/user/certs/myprivatekey.pem> Absolute paths may be used. non-absolute paths are relative to $SPLUNK_HOME
caCertPath = </home/user/certs/mycacert.pem. Absolute paths may be used. non-absolute paths are relative to $SPLUNK_HOME

2. Restart Splunk Web:

# $SPLUNK_HOME/bin/splunk restart splunkweb
Last modified on 04 November, 2016
PREVIOUS
Turn on encryption (https) using web.conf 		  NEXT
Troubleshoot your Splunk Web authentication

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters