Splunk® Enterprise

Securing Splunk Enterprise

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Secure deployment servers and clients using certificate authentication

There are certain situations where you might need to use certificate authentication in certain distributed configurations like deployment servers and clients. An example situation is when you send sensitive server configuration data to a variety of locations that are outside of your protected network through your firewall. You can manually configure each deployment client to communicate with your deployment server.


Prerequisites for securing deployment servers and clients with TLS certificates

Before you can secure communications between Splunk deployment clients and servers, you must have the following:

  1. One or more TLS certificates.
    • You can either obtain third party certificates from a certificate authority, or create and sign them yourself
    • After you get the certificates, you must prepare the certificates for use with Splunk platform instances
    • The certificates must be in Privacy-Enhanced Mail format and comply with the x.509 public key certificate standard
    • You must have a private key file for each certificate file.
    • The key files that come with the certificates must comply with the Rivest-Shamir-Adelman (RSA) security algorithm.
  2. Administrative access to the Splunk Enterprise instances that you want to secure
  3. An understanding of Splunk configuration files

Configure deployment servers and clients with TLS certificates

  1. Create or obtain one or more certificates that use the same root certificate authority (CA). For the procedure, including instructions on how to create the certificate authority certificate, see the "Secure Splunk platform communications with Transport Layer Security certificates" chapter.
  2. Use file management utilities to distribute the certificates to your deployment server and deployment clients.

    You might want to make a separate directory within each Splunk Enterprise instance to store the certificates, for example, you could put the certificates in the $SPLUNK_HOME/etc/auth/DScerts directory.

  3. On each deployment server, do the following:
    1. Using a text editor, open the $SPLUNK_HOME/etc/system/local/server.conf configuration file for editing.
    2. In the file, configure the deployment server to use the certificates. Add the following stanzas and settings to the file.
      Setting/stanza name Data type Description
      [sslConfig] n/a Sets up TLS/SSL configurations for deployment servers and clients.
      sslRootCAPath string The location of the Splunk CA certificate trust store. The Splunk platform uses this path to find certificates to validate TLS connections.
      sslPassword (Optional) string The password that you entered when you created the certificate, if you created a password.
  4. On each deployment client, do the following:
    1. Edit the $SPLUNK_HOME/etc/system/local/server.conf configuration file to provide the location of your certificates. Add the following stanzas and settings to the file.
      Setting/stanza name Data type Description
      [sslConfig] n/a Sets up TLS/SSL configurations for deployment servers and clients.
      serverCert string The location of the server certificate on the Splunk platform instance. This is the certificate that the machine uses to support inbound connections over TLS/SSL. You can specify either the absolute path to the certificate, such as /opt/splunk/etc/auth/mycerts/myServerCert.pem, or you can use a relative path, such as etc/auth/mycerts/myServerCert.pem and the instance uses the Splunk platform instance installation directory.
      sslRootCAPath string See the description for this setting earlier in this topic.
      sslPassword (Optional) string See the description for this setting earlier in this topic.
      requireClientCert (Optional) Boolean Whether or not the Splunk platform instance requires that a connecting client present a valid TLS certificate before the connection can succeed. A value of "true" means that the receiving instance must see a valid certificate to let the client authenticate. A value of "false" means that clients can connect without presenting a certificate. Configure this setting to "true" if you want your receivers to require authentication with certificates. When both the forwarder and receiver have a "true" value for this setting, mutually authenticated TLS or mTLS is active.
      sslVersions (Optional) comma-separated list The list of SSL versions that the receiver supports. The Splunk platform supports the following versions for SSL and TLS: "ssl3", "tls1.0", "tls1.1", and "tls1.2".
      cipherSuite (Optional) string The list of cipher suite strings that the TLS/SSL sessions are to use.
      sslCommonNameToCheck
      (Optional except in certain circumstances)
      comma-separated list A list of one or more common names upon which the receiving Splunk platform instance checks for a match in the certificate that the client presents upon connecting to the receiver. This setting is only valid if you have configured the 'requireClientCert' setting with a value of "true". If none of the common names in this setting value matches the common name in the certificate of the connecting client, the receiving instance declines the connection as not authorized.
      sslAltNameToCheck
      (Optional except in certain circumstances)
      comma-separated list A list of one or more alternate names upon which the receiving Splunk platform instance checks for a match in the certificate that the client presents upon connecting to the receiver. This setting is only valid if you have configured the 'requireClientCert' setting with a value of "true". If none of the alternate names in this setting value matches the alternate name in the certificate of the connecting client, the receiving instance declines the connection as not authorized.
    2. Save the file and close it.
  5. The requireClientCert setting has a default value of "false". If you give it a value of true to force Splunk Enterprise to check your client certificates, Splunk Enterprise will also check Splunk Web and the CLI for certificates.

  6. Save the server.conf file and close it.
  7. Edit the $SPLUNK_HOME/etc/system/local/web.conf configuration file so that the deployment client presents a certificate signed by the same root CA so that Splunk Web can connect to the server.

    The following is an example of an edited settings stanza:
    [settings]
    enableSplunkWebSSL = true
    privKeyPath = etc/auth/splunkweb/mySplunkWebPrivateKey.key
    serverCert = etc/auth/splunkweb/mySplunkWebCertificate.pem
    cipherSuite = <your chosen cipher suite (optional)>
Last modified on 16 October, 2024
Securing distributed search heads and peers   Configure communication and bundle download authentication for deployment servers and clients

This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters