Splunk® Enterprise

Securing Splunk Enterprise

Download manual as PDF

Splunk Enterprise version 7.0 is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Download topic as PDF

Secure Splunk Web with your own certificate

This example assumes that you have already generated self-signed certificates or purchased third-party certificates. If you have not done this and are unsure how to proceed, we've provided some simple examples:

Before you begin: make sure your certificate and key are available from your folder. In this example we are using $SPLUNK_HOME/etc/auth/mycerts/:

  • $SPLUNK_HOME/etc/auth/mycerts/mySplunkWebCertificate.pem
  • $SPLUNK_HOME/etc/auth/mycerts/mySplunkWebPrivateKey.key

Configure Splunk Web to use the key and certificate files

1. In $SPLUNK_HOME/etc/system/local/web.conf (or any other applicable location, if you are using a deployment server), make the following changes to the [settings] stanza:

The following is an example of an edited settings stanza:

enableSplunkWebSSL = true
privKeyPath = </home/etc/auth/mycerts/mySplunkWebPrivateKey.key > 
Absolute paths may be used. non-absolute paths are relative to $SPLUNK_HOME

serverCert = </home/etc/auth/mycerts/mySplunkWebCertificate.pem > 
Absolute paths may be used. non-absolute paths are relative to $SPLUNK_HOME

2. Restart Splunk:

# $SPLUNK_HOME/bin/splunk restart splunkd
Turn on encryption (https) using web.conf
Troubleshoot your Splunk Web authentication

This documentation applies to the following versions of Splunk® Enterprise: 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 8.0.0, 8.0.1, 8.0.2


Thanks for the comment, Relentne. We have updated the topic to change "restart splunk" to "restart splunkd". Thanks for the help.

Andrewb splunk, Splunker
October 9, 2019

How to restart splunk correctly?

$SPLUNK_HOME/bin/splunk restart splunk
Invalid mode "splunk".

October 8, 2019

Hi Hprakashnavteca,

I've sent you a private message based on the information we have on file. If you could give more context about the problems you are having, that would be very helpful. Thanks.

Malmoore, Splunker
March 21, 2019

hi, trying to get cert work for splunk web 7.2.0 on linux:
1. converted private key to csr.
2. got der (root, base64 container) and cer from ca authority for the csr above.
3. edited web.conf, like so -
privKeypath = key
serverCert = ???
for ???, cer works and der fails (but that's not right).
converted der-2-pem (container), but it fails too.
chained cer+pem above, but it fails again.

so, how to get root in serverCert = ???
tried splunk btool web list --debug

March 20, 2019

Hi Rocketboots services,

I've sent a message to you based on the information we have on file. If you could give more context about the message you're receiving, it'd be very helpful. Thanks.

Malmoore, Splunker
January 30, 2019

Editing etc/system/local/web.conf seems to trigger a failed integrity check?

Rocketboots services
January 20, 2019

@Cpierce26: That's the default setting inside of $SPLUNK_HOME/etc/system/default/web.conf - so if the server does not come up again, there's maybe some other web.conf overwriting this default. In this case it's better to just remove this second setting to leave your configuration as clean as possible. Use "splunk btool web list --debug | grep httpport" to check where that overwriting takes place.

July 20, 2018

Incomplete documentation. There are a few things missing here regarding the configuration of the web.conf file.

If you are swapping over from self signed certificates, and currently on the default ssl/port settings, keep in mind when you swap over to the new certificates a new line has to be added into the configuration.

That line is-

httpport = 8000 (you can also change this another port if you want.)

Otherwise, you'll get stuck when you restart splunk at "Attempting to establish connection at at port 8000."

Just a heads up for someone who dug through their .conf webinars to find an answer.

March 13, 2018

The first step, copying the certs confuses me. It says that I should copy the certs to my own repo, /etc/auth/mycerts, which makes sense since web.conf references that path, but the code examples copies the .pem-files to /splunkweb from /mycerts. Why is this needed when not used in the config on web.conf?

February 5, 2018

If you get an error about 'Invalid key in stanza [settings] ... serverCert', try replacing 'serverCert' with 'caCertPath', which is what this config key was called in earlier versions of Splunk.

October 16, 2017

After making these changes when I restart splunk I get the message:
Invalid key in stanza [settings] in /opt/splunk/etc/system/local/web.conf, line 4: serverCert (value: etc/auth/splunkweb/server.pem).

May 2, 2017

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters