Splunk® User Behavior Analytics

Install and Upgrade Splunk User Behavior Analytics

Request and add a new certificate to Splunk UBA to access the Splunk UBA web interface

Replace or renew the certificate used to gain access to the Splunk UBA web interface. You can use either of the following methods:

An additional certificate is required to integrate Splunk UBA with Splunk Enterprise in order to send threats and anomalies to Splunk Enterprise Security (ES), or to send notable events from Splunk ES to Splunk UBA. See Configure the Splunk platform to receive data from the Splunk UBA output connector in the Send and Receive Data from the Splunk Platform manual.

Renew the self-signed certificate included with Splunk UBA

The self-signed certificate included with Splunk UBA expires 365 days after the Splunk UBA web interface is accessed for the first time.

Perform the following steps to regenerate the default self-signed certificate:

rm /var/vcap/store/caspida/certs/my-root-ca.crt.pem
/opt/caspida/bin/CaspidaCert.sh US CA "San Francisco" Splunk "" "" /var/vcap/store/caspida/certs/

Create your own third-party signed certificate and add it to Splunk UBA

Create a third-party signed certificate you can install in Splunk UBA. The way you create or obtain these certificates depends on your organization's policies, network structure, or the tools you are using. If you already have a third-party signed certificate, see Add a new certificate to Splunk UBA.

Create a third-party signed certificate and a certificate signing request

Follow these instructions to create third-party signed certificates.

  1. From the command line of the Splunk UBA management server, log in as the caspida user using SSH.
  2. Stop the Splunk UBA Resources Monitor:
    sudo service caspida-resourcesmonitor stop
  3. Stop the Splunk UBA web interface:
    sudo service caspida-ui stop
  4. Get the short hostname and domain name using the following commands:
    hostname -s
    hostname -d
  5. Generate a new root certificate, private key, and additional certificates with the Splunk UBA host name of your management server:
    sudo /opt/caspida/bin/CaspidaCert.sh <country> <state> <location> <org> <domain> <"short hostname"> <certificate-location>

    By default, Splunk UBA looks in /var/vcap/caspida/certs for the necessary certificates. When generating new certificates, specify a <certificate-location> in a different directory under /var/vcap/store/caspida/certs so that the default certificates are not overwritten during upgrades.
    For example, to generate a certificate for Splunk UBA in a directory called mycerts under /var/vcap/store/caspida/certs, type:

    sudo /opt/caspida/bin/CaspidaCert.sh US CA SanFrancisco Splunk sv.splunk.com "uba-17" /var/vcap/store/caspida/certs/mycerts
  6. Edit the /etc/caspida/local/conf/uba-site.properties file and add the following properties to direct Splunk UBA to use the new certificate location. The following example uses /var/vcap/store/caspida/certs/mycerts as the certificate location. Replace this location with the actual location of your certificates:
    ui.auth.rootca=/var/vcap/store/caspida/certs/mycerts/my-root-ca.crt.pem
    ui.auth.privateKey=/var/vcap/store/caspida/certs/mycerts/my-server.key.pem
    ui.auth.serverCert=/var/vcap/store/caspida/certs/mycerts/my-server.crt.pem
    
  7. Change to the Splunk UBA certificate directory:
    cd /var/vcap/store/caspida/certs/mycerts
  8. Generate a signing request for the certificate authority using the newly create private key:
    sudo openssl req -new -key my-server.key.pem -out myCACertificate.csr
  9. When prompted, type the same values that you provided when creating the new private key.
  10. Assign the appropriate permissions to the certs directory:
    sudo chmod 644 /var/vcap/store/caspida/certs/mycerts/*
  11. While waiting for the certificate signing request to be returned, start Splunk UBA and the Splunk UBA resources monitor:
    sudo service caspida-ui start
    sudo service caspida-resourcesmonitor start
    Now Splunk UBA will be running with the self signed certificate.
  12. Use the certificate signing request (CSR) myCACertificate.csr to request a new signed certificate from your certificate authority (CA). The process for requesting a signed certificate varies depending on how your certificate authority handles a certificate signature request. Contact your CA for more information.
  13. Download the server certificate (for example, mySplunkUBAWebCert.pem) and rootCA returned by your Certificate Authority.

Add a new certificate to Splunk UBA

After you have a third-party signed certificate, add it to Splunk UBA to use it instead of the self-signed certificate included with Splunk UBA.

  1. From the command line of the Splunk UBA management server, log in as the caspida user using SSH.
  2. Perform this step only on Ubuntu systems. If you are not using Ubuntu, skip to Step 3.
    1. Install the PEM-formatted root or issuing <certificate>.crt file into the /usr/local/share/ca-certificates folder.
    2. Run the following command to install the certificates:
      sudo update-ca-certificates
    3. Verify that the certificates are properly converted to PEM format in /etc/ssl/certs.
  3. Stop the Splunk UBA Resources Monitor.
    sudo service caspida-resourcesmonitor stop
  4. Stop the Splunk UBA web interface.
    sudo service caspida-ui stop
  5. Backup my-server.crt.pem as my-server.crt.pem_<hhmmMMDDYYYY>. For example:
    sudo cp -p /var/vcap/store/caspida/certs/mycerts/my-server.crt.pem /var/vcap/store/caspida/certs/mycerts/my-server.crt.pem_170010042018
  6. Copy the third-party signed certificate mySplunkUBAWebCert.pem to your custom location under the /var/vcap/store/caspida/certs directory. For example:
    sudo mv -f /var/vcap/store/caspida/certs/mycerts/mySplunkUBAWebCert.pem /var/vcap/store/caspida/certs/mycerts/my-server.crt.pem
  7. Backup my-root-ca.crt.pem as my-root-ca.crt.pem_<hhmmMMDDYYYY>. For example:
    sudo cp -p /var/vcap/store/caspida/certs/mycerts/my-root-ca.crt.pem /var/vcap/store/caspida/certs/mycerts/my-root-ca.crt.pem_170010042018
  8. Copy the root certificate from CA (if present) rootCA to your custom location under the /var/vcap/store/caspida/certs directory. For example:
    sudo mv -f /var/vcap/store/caspida/certs/mycerts/rootCA /var/vcap/store/caspida/certs/mycerts/my-root-ca.crt.pem
  9. Assign the appropriate permissions to the certs directory.
    sudo chmod 644 /var/vcap/store/caspida/certs/mycerts/*
  10. Update /etc/caspida/local/conf/uba-site.properties with the path and key names. For example:
    ui.auth.rootca=/var/vcap/store/caspida/certs/mycerts/EXAMPLEROOTCA2.pem
    ui.auth.privateKey=/var/vcap/store/caspida/certs/mycerts/examplehostnamep.key
    ui.auth.serverCert=/var/vcap/store/caspida/certs/mycerts/examplehostnamep_pub.pem
    
  11. In distributed deployments, run the following command to synchronize the cluster:
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
  12. Start the Splunk UBA Web interface and the Splunk UBA resources monitor.
    sudo service caspida-ui start
    sudo service caspida-resourcesmonitor start
  13. Log in to the Splunk UBA Web interface to confirm that you successfully added the certificate and do not see any certificate errors. You can also view the certificate from your web browser.
Last modified on 26 January, 2023
Obtain a Splunk license for ingesting Splunk UBA logs   Troubleshoot your Splunk UBA installation

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1, 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters