Splunk® Enterprise

Securing Splunk Enterprise

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Configure Splunk Web to use TLS certificates

You can use transport layer security (TLS) certificates to secure connections between Splunk Web and your browser.

The certificates you use can replace the default certificates that Splunk provides. You can either obtain certificates from a certificate authority, or create and sign them yourself.

Prerequisites for configuring Splunk Web to use TLS certificates

  1. One or more TLS certificates.
    • You can either obtain third party certificates from a certificate authority, or create and sign them yourself
    • After you get the certificates, you must prepare the certificates for use with Splunk platform instances
    • The certificates must be in Privacy-Enhanced Mail format and comply with the x.509 public key certificate standard
    • You must have a private key file for each certificate file.
    • The key files that come with the certificates must be in RSA security format.

Configure Splunk Web to use TLS certificates

Follow this procedure to configure Splunk Enterprise to use TLS certificates for Splunk Web.

When you configure Splunk Enterprise to use TLS certificates, upon restart, it changes the file permissions on the certificates so that only the user that Splunk Enterprise runs as has full access. This is by design, in line with security industry standards, and cannot be changed.

  1. Open or create a local web.conf configuration file for the Search app in $SPLUNK_HOME/etc/system/local. If you use a deployment server, you can create this file in any application directory that you make available to the deployment server for download to deployment clients.
  2. Under the [settings] stanza, configure the path to the file that contains the web server SSL certificate private key file and the path to the Splunk web server certificate file.

    You may use absolute paths when you configure these settings by prepending a / to the path. Non-absolute paths are relative to the Splunk installation directory ($SPLUNK_HOME). If you use a non-absolute path, do not add $SPLUNK_HOME to the path

    The following example shows an edited settings stanza:

    [settings]
    enableSplunkWebSSL = true
    privKeyPath = /opt/splunk/etc/auth/mycerts/mySplunkWebPrivateKey.key 
    serverCert = /opt/splunk/etc/auth/mycerts/mySplunkWebCertificate.pem 
    
  3. Save the file and close it.
  4. Restart the Splunk Enterprise instance:
    # $SPLUNK_HOME/bin/splunk restart splunkd

Next step

Confirm that the forwarder and indexer configurations work properly. See Test and troubleshoot TLS connections.

Last modified on 06 September, 2023
Configure TLS certificates for inter-Splunk communication   Test and troubleshoot TLS connections

This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters