Splunk® Enterprise

Securing Splunk Enterprise

Secure deployment servers and clients using certificate authentication

There are certain situations where you might need to use certificate authentication in certain distributed configurations like deployment servers and clients. An example situation is when you send sensitive server configuration data to a variety of locations that are outside of your protected network through your firewall. You can manually configure each deployment client to communicate with your deployment server.


Prerequisites for securing deployment servers and clients with TLS certificates

Before you can secure communications between Splunk deployment clients and servers, you must have the following:

  1. One or more TLS certificates.
    • You can either obtain third party certificates from a certificate authority, or create and sign them yourself
    • After you get the certificates, you must prepare the certificates for use with Splunk platform instances
    • The certificates must be in Privacy-Enhanced Mail format and comply with the x.509 public key certificate standard
    • You must have a private key file for each certificate file.
    • The key files that come with the certificates must comply with the Rivest-Shamir-Adelman (RSA) security algorithm.
  2. Administrative access to the Splunk Enterprise instances that you want to secure
  3. An understanding of Splunk configuration files

Configure deployment servers and clients with TLS certificates

  1. Create or obtain one or more certificates that use the same root certificate authority (CA). For the procedure, including instructions on how to create the certificate authority certificate, see the "Secure Splunk platform communications with Transport Layer Security certificates" chapter.
  2. Use file management utilities to distribute the certificates to your deployment server and deployment clients.

    You might want to make a separate directory within each Splunk Enterprise instance to store the certificates, for example, you could put the certificates in the $SPLUNK_HOME/etc/auth/DScerts directory.

  3. On each deployment server, do the following:
    1. Using a text editor, open the $SPLUNK_HOME/etc/system/local/server.conf configuration file for editing.
    2. In the file, configure the deployment server to use the certificates. Add the following stanzas and settings to the file.
      Setting/stanza name Data type Description
      [sslConfig] n/a Sets up TLS/SSL configurations for deployment servers and clients.
      sslRootCAPath string The location of the Splunk CA certificate trust store. The Splunk platform uses this path to find certificates to validate TLS connections depending on the value of the 'caTrustStore' setting.


      The Splunk platform uses this setting if you give the 'caTrustStore' setting its default value of "splunk" or "splunk,os". It does not use this setting if you give the 'caTrustStore' setting a value of only "os". If you specify both trust stores, and an identical certificate appears in each, the Splunk platform uses the certificate in this trust store to validate the TLS connection.

      caTrustStore (Optional) string The certificate authority (CA) trust store to use when validating a network connection over TLS. The setting has two values:
      • "splunk" which is the trust store that the Splunk platform uses for certificates, as defined by the value for the 'sslRootCAPath' setting. When you specify this setting, the Splunk platform uses the certificates in this trust store to validate TLS connections. See the entry for that setting later in this table for information on configuring the 'sslRootCAPath' setting. This is the default value for 'caTrustStore'.
      • "os" which is the CA trust store that the operating system uses. When you specify this setting, the Splunk platform uses the certificate in the trust store location that the operating system which runs the Splunk platform instance defines. Currently, there is support for Linux and Windows operating systems only. There is no support for macOS operating system trust stores.


      You can specify both of these values by separating them with a comma. When you do this, the Splunk platform looks in both the Splunk and OS trust stores for certificates to validate TLS connections.

      If the Splunk platform finds an identical TLS certificate in both trust stores, it uses the certificate in the Splunk trust store to validate the TLS connection.

      caTrustStorePath (Optional except when 'caTrustStore' has a value of "os") string The certificate authority (CA) trust store path that the operating system uses, and that the Splunk platform is to use to find certificates for validating TLS connections. Currently, there is support for Linux operating systems only for this setting. There is no support for macOS, and Windows stores its certificates in the Windows Registry. There is no default value for this setting, so you must give it one if you give 'caTrustStore' a value of "os".


      The Splunk platform uses this setting if you give the 'caTrustStore' setting its default value of "os", or "splunk,os". It does not use this setting if you give the 'caTrustStore' setting a value of only "splunk". If you specify both trust stores, and an identical certificate appears in each, the Splunk platform uses the certificate in the Splunk trust store to validate the TLS connection.

      If you give 'caTrustStore' a value of "os" but don't specify a value for this setting, the Splunk platform doesn't attempt to look for certificates in the operating system trust store. It only looks for certificates in the Splunk trust store, and logs an error to the splunkd.log log file.

      sslPassword (Optional) string The password that you entered when you created the certificate, if you created a password.
  4. On each deployment client, do the following:
    1. Edit the $SPLUNK_HOME/etc/system/local/server.conf configuration file to provide the location of your certificates. Add the following stanzas and settings to the file.
      Setting/stanza name Data type Description
      [sslConfig] n/a Sets up TLS/SSL configurations for deployment servers and clients.
      serverCert string The location of the server certificate on the Splunk platform instance. This is the certificate that the machine uses to support inbound connections over TLS/SSL. You can specify either the absolute path to the certificate, such as /opt/splunk/etc/auth/mycerts/myServerCert.pem, or you can use a relative path, such as etc/auth/mycerts/myServerCert.pem and the instance uses the Splunk platform instance installation directory.
      sslRootCAPath string See the description for this setting earlier in this topic.
      caTrustStore (Optional) string See the description for this setting earlier in this topic.
      caTrustStorePath (Optional except when 'caTrustStore' has a value of "os") string See the description for this setting earlier in this topic.
      sslPassword (Optional) string See the description for this setting earlier in this topic.
      requireClientCert (Optional) Boolean Whether or not the Splunk platform instance requires that a connecting client present a valid TLS certificate before the connection can succeed. A value of "true" means that the receiving instance must see a valid certificate to let the client authenticate. A value of "false" means that clients can connect without presenting a certificate. Configure this setting to "true" if you want your receivers to require authentication with certificates. When both the forwarder and receiver have a "true" value for this setting, mutually authenticated TLS or mTLS is active.
      sslVersions (Optional) comma-separated list The list of SSL versions that the receiver supports. The Splunk platform supports the following versions for SSL and TLS: "ssl3", "tls1.0", "tls1.1", and "tls1.2".
      cipherSuite (Optional) string The list of cipher suite strings that the TLS/SSL sessions are to use.
      sslCommonNameToCheck
      (Optional except in certain circumstances)
      comma-separated list A list of one or more common names upon which the receiving Splunk platform instance checks for a match in the certificate that the client presents upon connecting to the receiver. This setting is only valid if you have configured the 'requireClientCert' setting with a value of "true". If none of the common names in this setting value matches the common name in the certificate of the connecting client, the receiving instance declines the connection as not authorized.
      sslAltNameToCheck
      (Optional except in certain circumstances)
      comma-separated list A list of one or more alternate names upon which the receiving Splunk platform instance checks for a match in the certificate that the client presents upon connecting to the receiver. This setting is only valid if you have configured the 'requireClientCert' setting with a value of "true". If none of the alternate names in this setting value matches the alternate name in the certificate of the connecting client, the receiving instance declines the connection as not authorized.
    2. Save the file and close it.
  5. The requireClientCert setting has a default value of "false". If you give it a value of true to force Splunk Enterprise to check your client certificates, Splunk Enterprise will also check Splunk Web and the CLI for certificates.

  6. Save the server.conf file and close it.
  7. Edit the $SPLUNK_HOME/etc/system/local/web.conf configuration file so that the deployment client presents a certificate signed by the same root CA so that Splunk Web can connect to the server.

    The following is an example of an edited settings stanza:
    [settings]
    enableSplunkWebSSL = true
    privKeyPath = etc/auth/splunkweb/mySplunkWebPrivateKey.key
    serverCert = etc/auth/splunkweb/mySplunkWebCertificate.pem
    cipherSuite = <your chosen cipher suite (optional)>
Last modified on 16 October, 2024
Securing distributed search heads and peers   Configure communication and bundle download authentication for deployment servers and clients

This documentation applies to the following versions of Splunk® Enterprise: 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters