| CARVIEW |
Securing Splunk Enterprise
- Install Splunk Enterprise securely
- Create secure administrator credentials
- About TLS encryption and cipher suites
- Secure Splunk Enterprise with FIPS
- About default certificate authentication
- Harden the Splunk Enterprise installation directory on Windows
- Secure Splunk Enterprise on your network
- Disable unnecessary Splunk Enterprise components
- Secure Splunk Enterprise service accounts
- Deploy secure passwords across multiple servers
- Harden the network port that App Key Value Store uses
- Best practices for hardening Splunk Enterprise servers and the operating systems they use
- Use network access control lists to protect your deployment
- Use access control to secure Splunk data
- About user authentication
- About configuring role-based user access
- Define roles on the Splunk platform with capabilities
- Create and manage users with Splunk Web
- Create and manage roles with Splunk Web
- Find existing users and roles
- Secure access for Splunk knowledge objects
- Password best practices for administrators
- Configure Splunk password policies
- Configure a Splunk Enterprise password policy using the Authentication.conf configuration file
- Password best practices for users
- Unlock a user account
- Change a user password
- Manage out-of-sync passwords in a search head cluster
- Set up user authentication with LDAP
- Manage Splunk user roles with LDAP
- LDAP prerequisites and considerations
- Secure LDAP authentication with transport layer security (TLS) certificates
- How the Splunk platform works with multiple LDAP servers for authentication
- Configure LDAP with Splunk Web
- Map LDAP groups to Splunk roles in Splunk Web
- Configure single sign-on with SAML
- Configure SSO with PingIdentity as your SAML identity provider
- Configure SSO with Okta as your identity provider
- Configure SSO with Microsoft Azure AD or AD FS as your Identity Provider
- Configure SSO with OneLogin as your identity provider
- Configure SSO with Optimal as your identity provider
- Configure SSO in Computer Associates (CA) SiteMinder
- Secure SSO with TLS certificates on Splunk Enterprise
- Configure Ping Identity with leaf or intermediate SSL certificate chains
- Configure SAML SSO for other IdPs
- Configure authentication extensions to interface with your SAML identity provider
- Configure advanced settings for SSO
- Map groups on a SAML identity provider to Splunk roles
- Modify or remove role mappings
- Troubleshoot SAML SSO
- About multifactor authentication with Duo Security
- Configure Splunk Enterprise to use Duo Security multifactor authentication
- Configure Duo multifactor authentication for Splunk Enterprise in the configuration file
- About multifactor authentication with RSA Authentication Manager
- Configure RSA authentication from Splunk Web
- Configure Splunk Enterprise to use RSA Authentication Manager multifactor authentication via the REST endpoint
- Configure Splunk Enterprise to use RSA Authentication Manager multifactor authentication in the configuration file
- User experience when logging into a Splunk instance configured with RSA multifactor authentication
- About securing inter-Splunk communication
- Configure secure communications between Splunk instances with updated cipher suite and message authentication code
- Securing distributed search heads and peers
- Secure deployment servers and clients using certificate authentication
- Secure Splunk Enterprise services with pass4SymmKey
Obtain certificates signed by a third-party for Splunk Web
On Splunk Enterprise only, you can create and have a third party sign certificates necessary to configure Splunk Web for SSL authentication and encryption.
There are multiple ways you can create these certificates, depending upon your organization's policies, your network structure, and the tools that you are using to create the certificates.
If you have already generated these certificates and keys, or if you are experienced with creating third-party certificates, you can skip this step and go directly to the configuration topic in this manual at Secure Splunk Web with your own certificate.
Prerequisites
Before you attempt to perform the commands in this procedure, you must understand what the $SPLUNK_HOME directory means. In this procedure, $SPLUNK_HOME refers to the Splunk Enterprise installation directory.
- For Windows, the default installation directory is
C:\Program Files\splunk. - For most *nix platforms, the default installation directory is
/opt/splunk. - For Mac OS, the default installation directory is
/Applications/splunk.
You must also have experience using either a shell prompt (on Unix) or a command prompt or PowerShell window (on Windows.)
Create a new private key file
- Create a new directory to host the certificates and keys. This example uses
$SPLUNK_HOME/etc/auth/mycerts.Place your new certificates in a different directory than
$SPLUNK_HOME/etc/auth/splunkwebso that you don't overwrite the existing certificates. This ensures that you can use the certificates that ship with Splunk for other Splunk components as necessary. - Generate a new private key. Splunk Web supports 2048-bit and longer keys.
Unix command Windows command $SPLUNK_HOME/bin/splunk cmd openssl genrsa -aes256 -out mySplunkWebPrivateKey.key 2048
$SPLUNK_HOME\bin\splunk cmd openssl genrsa -aes256 -out mySplunkWebPrivateKey.key 2048
- When the OpenSSL command prompts you, create a password to enter the passphrase for the original key.
A new private key file
mySplunkWebPrivateKey.keyappears in your directory. You can use this key file to sign your CSR. - Remove the password from the private key. You must do this because Splunk Web does not support private key passwords.
Unix command Windows command $SPLUNK_HOME/bin/splunk cmd openssl rsa -in mySplunkWebPrivateKey.key -out mySplunkWebPrivateKey.key
$SPLUNK_HOME\bin\splunk cmd openssl rsa -in mySplunkWebPrivateKey.key -out mySplunkWebPrivateKey.key
You can use to following command to confirm that your password was successfully removed:
# openssl rsa -in mySplunkWebPrivateKey.key -textIf the password was successfully removed, you can view the certificate contents without providing a password.
Create a Certificate Authority (CA) request and obtain your server certificate
- Create a new certificate signature request using your private key file
mySplunkWebPrivateKey.key:Unix command Windows command $SPLUNK_HOME/bin/splunk cmd openssl req -new -key mySplunkWebPrivateKey.key -out mySplunkWebCert.csr
$SPLUNK_HOME\bin\splunk cmd openssl req -new -key mySplunkWebPrivateKey.key -out mySplunkWebCert.csr
If you receive an error similar to the following:
Unable to load config info from c:\\build-amd64-5.0.2-20130120-1800\\splunk/ssl/openssl.cnf
Try typing the following in your command prompt then run theopensslcommand again:
set OPENSSL_CONF=c:/Program Files/Splunk/openssl.cnf - Use the CSR file
mySplunkWebCert.csrto request a new signed certificate from your Certificate Authority (CA). The process for requesting a signed certificate varies depending on how your Certificate Authority handles a certificate signature request. Contact your CA for more information. - When your CA advises you that your certificate is ready, download the certificate from the CA. This example uses the name
mySplunkWebCert.pemfor the downloaded file. - Download your Certificate Authority public CA certificate.This example uses the name "
myCAcert.pemfor this file. - Confirm that both the server certificate and the public CA certificate are in privacy-enhanced mail (PEM) format. If the certificates are not in PEM format, convert them using the
opensslcommand appropriate to your existing file type. Following is an example of a command that you can use for Distinguished Encoding Rules (DER) formats:$SPLUNK_HOME/bin/splunk cmd openssl x509 -in mySplunkWebCert.crt -inform DER -out mySplunkWebCert.pem -outform PEM$SPLUNK_HOME\bin\splunk cmd openssl x509 -in myCACert.crt -inform DER -out myCACert.pem -outform PEM - Check both certificates to confirm they have the necessary information and do not have a password associated with them.
Unix commands Windows commands $SPLUNK_HOME/bin/splunk cmd openssl x509 -in myCACert.pem -text $SPLUNK_HOME/bin/splunk cmd openssl x509 -in mySplunkWebCert.pem -text
$SPLUNK_HOME\bin\splunk cmd openssl x509 -in myCACert.pem -text $SPLUNK_HOME\bin\splunk cmd openssl x509 -in mySplunkWebCert.pem -text
The issuer information for
mySplunkWebCert.pemshould be the subject information formyCACert.pem, unless you are using intermediate certificates.
Combine your certificate and keys into a single file
Combine your server certificate and public certificate, in that order, into a single PEM file.
Set up certificate chains
To use multiple certificates, append the intermediate certificate to the end of the server's certificate file in the following order:
[ server certificate] [ intermediate certificate] [ root certificate (if required)]
For example, a certificate chain might look like the following:
-----BEGIN CERTIFICATE----- ... (certificate for your server)... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... (the intermediate certificate)... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... (the root certificate for the CA)... -----END CERTIFICATE-----
The root CA that signed the intermediate certificate and all intermediate certificates must be in browser certificate stores.
Next steps
After you have created the certificate chains, you can then use them with Splunk Enterprise and Splunk Web. The web.conf configuration file lets you use your certificates for authentication. See
Secure Splunk Web with your own certificate for more information.
| Self-sign certificates for Splunk Web | Configure and install certificates in Splunk Enterprise for Splunk Log Observer Connect |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12
Comments
Download manual
Obtain certificates signed by a third-party for Splunk Web
You must be logged into splunk.com in order to post comments. Log in now.
Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.
Your Comment Has Been Posted Above
Feedback submitted, thanks!