| CARVIEW |
Securing Splunk Enterprise
- Install Splunk Enterprise securely
- Secure your admin account
- About TLS encryption and cipher suites
- Securing Splunk Enterprise with FIPS
- About default certificate authentication
- Secure Splunk Enterprise on your network
- Disable unnecessary Splunk Enterprise components
- Secure Splunk Enterprise service accounts
- Deploy secure passwords across multiple servers
- Harden the network port that App Key Value Store uses
- Some best practices for your servers and operating system
- Use access control to secure Splunk data
- About user authentication
- About configuring role-based user access
- About defining roles with capabilities
- Add and edit roles with Splunk Web
- Add and edit roles with authorize.conf
- Configure access to manager consoles and apps in Splunk Enterprise
- Find existing users and roles
- Delete all user accounts
- Secure access for Splunk knowledge objects
- Use network access control lists to protect your deployment
- Set up user authentication with LDAP
- Manage Splunk user roles with LDAP
- LDAP prerequisites and considerations
- Secure LDAP authentication with transport layer security (TLS) certificates
- How the Splunk platform works with multiple LDAP servers for authentication
- Configure LDAP with Splunk Web
- Map LDAP groups to Splunk roles in Splunk Web
- Configure LDAP with the configuration file
- Map LDAP groups and users to Splunk roles using configuration files
- Test your LDAP configuration on Splunk Enterprise
- Change authentication schemes from native to LDAP on Splunk Enterprise
- Remove an LDAP user safely on Splunk Enterprise
- Configure single sign-on with SAML
- Configure SSO with PingIdentity as your SAML identity provider
- Configure SSO with Okta as your identity provider
- Configure SSO with Microsoft Azure AD or AD FS as your Identity Provider
- Configure SSO with OneLogin as your identity provider
- Configure SSO with Optimal as your identity provider
- Configure SSO in Computer Associates (CA) SiteMinder
- Secure SSO with TLS certificates
- Configuring SAML in a search head cluster
- Configure Ping Identity with leaf or intermediate SSL certificate chains
- Configure SAML SSO for other IdPs
- Configure advanced settings for SSO
- Map groups on a SAML identity provider to Splunk roles
- Modify or remove role mappings
- Configure SAML SSO in the configuration files
- Troubleshoot SAML SSO
- Self Signed Certificates in splunk
- How to make the https splunk web load with self-si...
- How to make my computer trust splunkd's own self-s...
- How do I set up SSL forwarding with new, self-sign...
- How to use REST API over port 8089 with the Splunk...
- Http Event Collector (HEC): SSL Self Signed Certif...
- Splunk Self Signed Certificates
- How to deploy self-signed certs to deployment clie...
- Self-signed certificate without warnings?
- Splunk Self-signed Certificate Error. Error settin...
How to self-sign certificates
This topic describes one way you can use OpenSSL to self-sign certificates for securing forwarder-to-indexer and Inter-Splunk communication.
If you already possess or know how to generate the needed certificates, you can skip this topic and go directly to the configuration steps, described later in this manual:
- How to prepare your signed certificates for Splunk
- Configure Splunk forwarding to use your own certificates
- About securing inter-Splunk communication
Self-signed certificates are best for data communication that occurs within an organization or between known entities. If you communicate with unknown entities, we recommend CA-signed certificates to secure your data.
Before you begin
In this discussion, $SPLUNK_HOME refers to the Splunk Enterprise installation directory:
- For Windows, Splunk software is installed in
C:\Program Files\splunkby default - For most Unix platforms, the default installation directory is at
/opt/splunk - For Mac OS, it is
/Applications/splunk
See the Administration Guide to learn more about working with Windows and *nix.
Create a new directory for your certificates
Create a new directory to work from when creating your certificates. In our example, we are using $SPLUNK_HOME/etc/auth/mycerts:
# mkdir $SPLUNK_HOME/etc/auth/mycerts # cd $SPLUNK_HOME/etc/auth/mycerts
This ensures you do not overwrite the Splunk-provided certificates that reside in $SPLUNK_HOME/etc/auth.
Create the root certificate
First you create a root certificate that serves as your root certificate authority. You use this root CA to sign the server certificates that you generate and distribute to your Splunk instances.
Generate a private key for your root certificate
1. Create a key to sign your certificates.
In *nix:
$SPLUNK_HOME/bin/splunk cmd openssl genrsa -aes256 -out myCAPrivateKey.key 2048
In Windows:
$SPLUNK_HOME\bin\splunk cmd openssl genrsa -aes256 -out myCAPrivateKey.key 2048
2. When prompted, create a password for the key.
When the step is completed, the private key myCAPrivateKey.key appears in your directory.
Generate and sign the certificate
1. Generate a new Certificate Signing Request (CSR):
In *nix:
$SPLUNK_HOME/bin/splunk cmd openssl req -new -key myCAPrivateKey.key -out myCACertificate.csr
In Windows:
$SPLUNK_HOME\bin\splunk cmd openssl req -new -key myCAPrivateKey.key -out myCACertificate.csr
2. When prompted, enter the password you created for the private key in $SPLUNK_HOME/etc/auth/mycerts/myCAPrivateKey.key.
3. Provide the requested certificate information, including the common name if you plan to use common name checking in your configuration.
A new CSR myCACertificate.csr appears in your directory.
4. Use the CSR myCACertificate.csr to generate the public certificate:
In *nix:
$SPLUNK_HOME/bin/splunk cmd openssl x509 -req -in myCACertificate.csr -sha512 -signkey myCAPrivateKey.key -CAcreateserial -out myCACertificate.pem -days 1095
In Windows:
$SPLUNK_HOME\bin\splunk cmd openssl x509 -req -in myCACertificate.csr -sha512 -signkey myCAPrivateKey.key -CAcreateserial -out myCACertificate.pem -days 1095
5. When prompted, enter the password for the private key myCAPrivateKey.key.
A new file myCACertificate.pem appears in your directory. This is the public CA certificate that you will distribute to your Splunk instances.
Create the server certificate
Now that you have created a root certificate to serve as your CA, you must create and sign your server certificate.
A note about common name checking
This topic shows you how to create a new private key and server certificate.
You can distribute this server certificate to all forwarders, indexers as well your Splunk instances that communicate on the management port. If you plan to use a different common name for each instance, you simply repeat the process described here to create different certificates (each with a different common name) for your Splunk instances.
For example, if configuring multiple forwarders, you can use the following example to create the certificate myServerCertificate.pem for your indexer, then create another certificate myForwarderCertificate.pem using the same root CA and install that certificate on your forwarder. Note that an indexer will only accept a properly generated and configured certificate from a forwarder that is signed by the same root CA.
See Configure Splunk forwarding to use your own certificates for more information about configuring your forwarders and indexers.
Generate a key for your server certificate
1. Generate a new RSA private key for your server certificate. In this example we are again using AES encryption and a 2048 bit key length:
In *nix:
$SPLUNK_HOME/bin/splunk cmd openssl genrsa -aes256 -out myServerPrivateKey.key 2048
In Windows:
$SPLUNK_HOME\bin\splunk cmd openssl genrsa -aes256 -out myServerPrivateKey.key 2048
2. When prompted, create a new password for your key.
A new key myServerPrivateKey.key is created. You will use this key to encrypt the outgoing data on any Splunk Software instance where you install it as part of the server certificate.
Generate and sign a new server certificate
1. Use your new server private key myServerPrivateKey.key to generate a CSR for your server certificate.
In *nix:
$SPLUNK_HOME/bin/splunk cmd openssl req -new -key myServerPrivateKey.key -out myServerCertificate.csr
In Windows:
$SPLUNK_HOME\bin\splunk cmd openssl req -new -key myServerPrivateKey.key -out myServerCertificate.csr
2. When prompted, provide the password to the private key myServerPrivateKey.key.
3. Provide the requested information for your certificate, including a Common Name if you plan to configure Splunk Software to authenticate via common-name checking.
A new CSR myServerCertificate.csr appears in your directory.
4. Use the CSR myServerCertificate.csr and your CA certificate and private key to generate a server certificate.
In *nix:
$SPLUNK_HOME/bin/splunk cmd openssl x509 -req -in myServerCertificate.csr -SHA256 -CA myCACertificate.pem -CAkey myCAPrivateKey.key -CAcreateserial -out myServerCertificate.pem -days 1095
In Windows:
$SPLUNK_HOME\bin\splunk cmd openssl x509 -req -in myServerCertificate.csr -SHA256 -CA myCACertificate.pem -CAkey myCAPrivateKey.key -CAcreateserial -out myServerCertificate.pem -days 1095
5. When prompted, provide the password for the certificate authority private key myCAPrivateKey.key. Make sure to sign this with your private key and not the server key you just created.
A new public server certificate myServerCertificate.pem appears in your directory.
Next steps
You should now have the following files in the directory you created, which is everything you need to configure indexers, forwarders, and Splunk instances that communicate over the management port:
myServerCertificate.pemmyServerPrivateKey.keymyCACertificate.pem
Now that you have the certificates you need, prepare your server certificate (including appending any intermediate certificates), and then configure Splunk to find and use them:
- See How to prepare your signed certificates for Splunk to learn how to set up your certificates to work with Splunk.
- See Configure Splunk forwarding to use your own certificates to learn more about configuring certificate authentication for forwarding.
- See About securing inter-Splunk communication to learn more about configuring certificate authentication for Splunk to Splunk communications.
| Avoid unintentional execution of fields within CSV files in third party applications | How to obtain certificates signed by a third-party for inter-Splunk communication |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12
Comments
Download manual
How to self-sign certificates
You must be logged into splunk.com in order to post comments. Log in now.
Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.
Your Comment Has Been Posted Above
Feedback submitted, thanks!