Secure deployment servers and clients using certificate authentication
There are certain situations where you might need to use certificate authentication in certain distributed configurations. An example is when you send sensitive server configuration data to a variety of locations outside of your protected network through your firewall. You can manually configure each indexer to communicate with your deployment server.
The deployment server cannot properly push certificates to peers. You must configure each member separately.
- Create one or more certificates using the same root certificate authority (CA). To learn how to create a certificate, see Appendix A in this manual.
- Distribute the certificates to your deployment server and clients.
- On each deployment client, edit the
$SPLUNK_HOME/etc/system/local/server.confconfiguration file to provide the location of your certificates.
[sslConfig] enableSplunkdSSL = true sslVersions = *,-ssl2 # This is the default (anything newer than SSLv2). It is # also the recommended setting. serverCert = <full path to the Privacy Enhanced Mail format server certificate file> # The Splunk daemon generates the default certificate # ($SPLUNK_HOME/etc/auth/server.pem) when it starts up. To secure # your deployment, replace the default certificate with your own certificate # file, in PEM format. sslPassword = password sslRootCAPath = <full path to the operating system root CA certificate> # This is a PEM format file that contains one or more root CAs. # Do not configure this attribute on Windows.
- Add the
requireClientCertsetting under the
[sslConfig]stanza to force the deployment clients to authenticate using your certificates:
requireClientCert = true
- Edit the
web.confconfiguration file to present a certificate signed by the same root CA so that Splunk Web can connect to the server.
The following is an example of an edited settings stanza:
[settings] enableSplunkWebSSL = true privKeyPath = etc/auth/splunkweb/mySplunkWebPrivateKey.key serverCert = etc/auth/splunkweb/mySplunkWebCertificate.pem cipherSuite = <your chosen cipher suite (optional)>
requireClientCert is set to "false" by default. If you change it to
true to force Splunk Enterprise to check your client's certificates, Splunk Web and the CLI will also be checked for certificates.
Splunk Web does not support passwords, so you must remove the password from the private key. For more information, see Get certificates signed by a third party for Splunk Web.
Securing distributed search heads and peers
Secure your clusters with pass4SymmKey
This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.2.0