Splunk® Enterprise

Securing Splunk Enterprise

Splunk Enterprise versions higher than version 9.4.2 are documented on our new documentation portal only. To get started, see the Splunk Enterprise page on help.splunk.com and the Splunk Enterprise 9.4.3 release notes. For information about how version selection works in the new portal, see Version selection on the About This Site page.

Configure Splunk Web to use TLS certificates

You can use transport layer security (TLS) certificates to secure connections between Splunk Web and your browser.

The certificates you use can replace the default certificates that Splunk provides. You can either obtain certificates from a certificate authority, or create and sign them yourself.

Prerequisites for configuring Splunk Web to use TLS certificates

  1. One or more TLS certificates.
    • You can either obtain third party certificates from a certificate authority, or create and sign them yourself
    • After you get the certificates, you must prepare the certificates for use with Splunk platform instances
    • The certificates must be in Privacy-Enhanced Mail format and comply with the x.509 public key certificate standard
    • You must have a private key file for each certificate file.
    • The key files that come with the certificates must be in RSA security format.

Configure Splunk Web to use TLS certificates

Follow this procedure to configure Splunk Enterprise to use TLS certificates for Splunk Web.

When you configure Splunk Enterprise to use TLS certificates, upon restart, it changes the file permissions on the certificates so that only the user that Splunk Enterprise runs as has full access. This is by design, in line with security industry standards, and cannot be changed.

  1. Open or create a local web.conf configuration file for the Search app in $SPLUNK_HOME/etc/system/local. If you use a deployment server, you can create this file in any application directory that you make available to the deployment server for download to deployment clients.
  2. Under the [settings] stanza, configure the path to the file that contains the web server SSL certificate private key file and the path to the Splunk web server certificate file.

    You may use absolute paths when you configure these settings by prepending a / to the path. Non-absolute paths are relative to the Splunk installation directory ($SPLUNK_HOME). If you use a non-absolute path, do not add $SPLUNK_HOME to the path

    The following example shows an edited settings stanza: 

    [settings]
enableSplunkWebSSL = true
privKeyPath = /opt/splunk/etc/auth/mycerts/mySplunkWebPrivateKey.key 
serverCert = /opt/splunk/etc/auth/mycerts/mySplunkWebCertificate.pem
  3. Save the file and close it.
  4. Restart the Splunk Enterprise instance:
    # $SPLUNK_HOME/bin/splunk restart splunkd

Next step

Confirm that the forwarder and indexer configurations work properly. See Test and troubleshoot TLS connections.

Last modified on 06 September, 2023
Configure TLS certificates for inter-Splunk communication   Test and troubleshoot TLS connections

This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters