Secure deployment servers and clients using certificate authentication
There are certain situations where you might need to use certificate authentication in certain distributed configurations. An example is when you send sensitive server configuration data to a variety of locations outside of your protected network through your firewall. You can manually configure each indexer to communicate with your deployment server.
Splunk Web does not support passwords, so you must remove the password from the private key. For more information, see Get certificates signed by a third party for Splunk Web.
The deployment server cannot properly push certificates to peers. You must configure each member separately.
- Create one or more certificates using the same root certificate authority (CA). To learn how to create a certificate, see Appendix A in this manual.
- Distribute the certificates to your deployment server and clients.
- On each deployment client, edit the
$SPLUNK_HOME/etc/system/local/server.conf
configuration file to provide the location of your certificates.
[sslConfig] enableSplunkdSSL = true sslVersions = tls1.2 # This is the default (TLS v1.2). It is # also the recommended setting. serverCert = <full path to the Privacy Enhanced Mail-format server certificate file> # The Splunk daemon generates the default certificate # ($SPLUNK_HOME/etc/auth/server.pem) when it starts up. To secure # your deployment, replace the default certificate with your own certificate # file, in PEM format. sslPassword = password # The password for the server certificate, if it exists. sslRootCAPath = <full path to the operating system root CA certificate> # This is a PEM format file that contains one or more root CAs. # Do not configure this setting on Windows.
- Add the
requireClientCert
setting under the[sslConfig]
stanza to force the deployment clients to authenticate using your certificates:
requireClientCert = true
- Edit the
web.conf
configuration file to present a certificate signed by the same root CA so that Splunk Web can connect to the server.
The following is an example of an edited settings stanza:
[settings] enableSplunkWebSSL = true privKeyPath = etc/auth/splunkweb/mySplunkWebPrivateKey.key serverCert = etc/auth/splunkweb/mySplunkWebCertificate.pem cipherSuite = <your chosen cipher suite (optional)>
This requireClientCert
is set to "false" by default. If you change it to true
to force Splunk Enterprise to check your client's certificates, Splunk Web and the CLI will also be checked for certificates.
Securing distributed search heads and peers | Secure Splunk Enterprise services with pass4SymmKey |
This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12
Feedback submitted, thanks!