Related Answers
Download topic as PDF
Secure Splunk Web with your own certificate
This example assumes that you have already generated self-signed certificates or purchased third-party certificates. If you have not done this and are unsure how to proceed, we've provided some simple examples:
Note: Splunk Web does not currently support password-protected private keys. You should remove the password from your key before configuring Splunk Web for the certificate.
Before you begin: Copy your certificates to a new folder
Copy the server certificate to your own certificate repository in $SPLUNK_HOME/etc/auth.
In the following example our web certificate is called mySplunkWebCertificate.pem and our private key is called mySplunkWebPrivateKey.key:
*nix:
Windows:
copy $SPLUNK_HOME\etc\auth\mycerts\mySplunkWebCertificate.pem $SPLUNK_HOME\etc\auth\splunkweb\ copy $SPLUNK_HOME\etc\auth\mycerts\mySplunkWebPrivateKey.key $SPLUNK_HOME\etc\auth\splunkweb\
Configure Splunk Web to use the key and certificate files
Note: Splunk Web does not support passwords for private keys, so you must remove the password from the key before using the key to secure Splunk Web.
1. In $SPLUNK_HOME/etc/system/local/web.conf (or any other applicable location, if you are using a deployment server), make the following changes to the [settings] stanza:
The following is an example of an edited settings stanza:
[settings] enableSplunkWebSSL = true privKeyPath = </home/user/certs/myprivatekey.pem> Absolute paths may be used. non-absolute paths are relative to $SPLUNK_HOME serverCert = </home/user/certs/mycacert.pem> Absolute paths may be used. non-absolute paths are relative to $SPLUNK_HOME
2. Restart Splunk Web:
|
PREVIOUS Turn on encryption (https) using web.conf |
NEXT Troubleshoot your Splunk Web authentication |
This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10
Comments
Hello, I am seeing this error when trying to use the path to my server cert in web.conf
Invalid key in stanza [settings] in /opt/splunk/etc/system/local/web.conf, line 3: serverCert (value: /home/ryot/mycerts/mycacert.pem)
Web.conf -
[settings]
enableSplunkWebSSL = true
serverCert = /home/ryot/mycerts/mycacert.pem
privKeyPath = /home/ryot/mycerts/myprivatekey.pem
I don't understand. In PrivKeyPath we have to referer a .key file or a .pem file ? And if it's pem file so wihich one ?
We are installing DoD certs, server.cert.pem and server.key.pem following the instructions above and the splunk service doesn't seem to restart. We copied the two pem files to the splunkweb folder as stated above, modifed web.conf file as above pointing to the location and files. Is there anything else I am missing.
Thanks for pointing that out, Hmallett. We've fixed the error.
The line:
serverCert = </home/user/certs/mycacert.pem.
should be:
serverCert = </home/user/certs/mycacert.pem>
Hey Byron,
Thank you so much for calling this to my attention. I've updated the docs accordingly.
Cheers,
Jen
The example in section 1.
text:
"servercert = </home/user/certs/mycacert.pem. Absolute paths may be used. non-absolute paths are relative to $SPLUNK_HOME"
should be:
"serverCert = </home/user/certs/mycacert.pem. Absolute paths may be used. non-absolute paths are relative to $SPLUNK_HOME"
Note the capital C in serverCert.
V/r,
Byron
For Windows, restarting the splunkweb service via "splunk restart splunkweb" didn't recognize the new SSL cert. I rebooted the machine, and the new cert was recognized. Maybe I could have just restarted the splunkd.exe service...