Splunk® Enterprise

Securing Splunk Enterprise

Download manual as PDF

Download topic as PDF

Configure Splunk Enterprise to use RSA Authentication Manager multifactor authentication in the configuration file

You can configure Splunk Enterprise to use multifactor authentication from the authentication.conf configuration file.

Configure multifactor authentication

In authentication.conf, edit the [2FA stanza name] stanza as follows:

externalTwoFactorAuthVendor = <RSA>
externalTwoFactorAuthSettings = <MFA stanza name>

[<MFA stanza name>]
authManagerUrl = <HTTPS-based URL of the RSA Authentication Manager REST endpoint >
accessKey = <Access key needed by Splunk to communicate with RSA Authentication Manager>
clientId = <Agent name created on RSA Authentication Manager>
failOpen = <True|False. True allows login in case the authentication server is unavailable.>
timeout = <Connection timeout in seconds for the outbound HTTPS connection>
messageOnError = <Message that will be shown on the error page if authentication fails >
sslVersions = <Comma-separated list of SSL versions to support for incoming connections. Supported versions are "ssl3", "tls1.0", "tls1.1", and "tls1.2". If this value is not set, Splunk uses default value of sslVersions=tls1.2 >
cipherSuite = <Cipher string. Allows Splunk to use the specified cipher string for the HTTP server>
ecdhCurves = <Comma separated list of ec curves. Specify ECDH curves to use for ECDH key negotiation. >
sslVerifyServerCert = <True|False. True enables both the common and alternate names to be matched.>
sslCommonNameToCheck = <List of common names for outbound RSA HTTPS connections>
sslAltNameToCheck =  <List of alternate names for outbound RSA HTTPS connections>
sslRootCAPath = <Root path. The path must refer to full path of a PEM format file containing one or more root CA certificates concatenated together.>

Before logging out of configuration session, perform config verification using '/services/admin/Rsa-MFA-config-verify' endpoint. First, enter the factor credentials and then enter the RSA passcode that appears on the RSA key fob or the mobile/desktop application which generates the token. This prevents you from blocking your ability to log in if you misconfigure authentication settings.

Configure Splunk Enterprise to use RSA Authentication Manager multifactor authentication via the REST endpoint
User experience when logging into a Splunk instance configured with RSA multifactor authentication

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.3.0

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters