Secure Splunk Web communications
Splunk Web has a number of functions, and one of the primary ones is to transmit search requests and results between Splunk Enterprise and your computer through its browser. This communication could potentially be exploited by malicious actors that use packet-sniffing technology and other tools.
If your Splunk configuration is a distributed environment where customers access Splunk Web from browsers from various locations, implement stronger security measures by using signed certificates.
Use signed certificates to secure Splunk Web communications
There are several ways you can use signed certificates to improve security for your browser to Splunk Web communications:
- For secured encryption with authentication, you can replace the default certificate with a signed certificate.
You replace the default certificate that Splunk provides with one that you request from a trusted Certificate Authority (CA). This is the most secure option.
For more information about obtaining CA certificates for Splunk deployments, see How to obtain certificates from a third-party for Splunk Web.
You can also use self-signed certificates to secure authentication, however, because you signed them rather than a known and trusted Certificate Authority, browsers will not list you as a CA in their certificate store, and as a result will not trust you or your certificates. For self-signed certificates to be effective, you would need to add your certificate to the certificate store of every browser that will access Splunk Web.
For more information about creating self-signed certificates for Splunk deployments, see How to create and sign your own TLS certificates.
- When you use a signed certificate, you can further strengthen your security configuration by turning on common name checking.
Common name checking adds an extra layer of security by requiring that the X.509 common name that is provided in the certificates on each communicating instance are a match. You can enable common name checking when you set up your certificate and configure Splunk Enterprise to check for common names when it authenticates.
For more information about configuring Splunk Enterprise to use certificates and learn more about common name checking, see Steps for securing your Splunk Enterprise deployment with TLS.
Turn on basic encryption for Splunk Web using default certificates
If your users access Splunk Web from local browsers behind the same firewall as Splunk Web, it might be acceptable to turn on simple encryption using the default certificates that Splunk ships with Splunk Enterprise. It is not as secure as either obtaining certificates from a third party or creating and signing certificates yourself.
- For information about the default certificate for Splunk Web, see Turn on HTTPS encryption for Splunk Web with Splunk Web or Turn on HTTPS encryption for Splunk Web using the web.conf configuration file.
- For information about configuring Splunk Web to use signed certificates, see Configure Splunk Web to use TLS certificates.
Configure and install certificates in Splunk Enterprise for Splunk Log Observer Connect | Turn on HTTPS encryption for Splunk Web with Splunk Web |
This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1
Feedback submitted, thanks!